Report: AMD says Ryzenfall patches are on the way

Remember back in March when security firm CTS Labs appeared out of nowhere with news of a series of security vulnerabilities on AMD hardware? Regardless of questions about responsible disclosure or the origins of the company, the vulnerabilities are real. AMD responded a week later promising patches to mitigate the new attacks, but we haven't heard a peep since. As it turns out, we may just not have been listening in the right places. Tom's Hardware poked AMD about the firmware fixes, and this is what the company had to say:

Within approximately 30 days of being notified by CTS Labs, AMD released patches to our ecosystem partners mitigating all of the CTS identified vulnerabilities on our EPYC™ platform as well as patches mitigating Chimera across all AMD platforms. These patches are in final testing with our ecosystem partners in advance of being released publicly.  We remain on track to begin releasing patches to our ecosystem partners for the other products identified in the report this month.  We expect these patches to be released publicly as our ecosystem partners complete their validation work.

As Tom's points out, the message is pretty vague and it doesn't contain news concerning consumer-class Ryzen hardware. Still, Epyc is most certainly the platform that needed addressing first. It's interesting to note that AMD says it has patches “in final testing” just over a month from being notified about the flaws despite CTS Labs' insistence that AMD could never have produced the patches in the usual 90 days. Kidding aside, these vulnerabilities are no joke. Ryzen owners should keep an eye out in the coming months for firmware patches.

Comments closed
    • HERETIC
    • 1 year ago

    And as one comes to a end-another begins-
    [url<]https://www.myce.com/news/researchers-find-new-spectre-like-critical-vulnerabilities-in-intel-processors-84203/[/url<]

    • gamoniac
    • 1 year ago

    [quote<]As Tom's points out...[/quote<] I have not been to Tom's since they auto-run that ultra annoying ray-tracing dinosaur clip on every page on their site. Are they still doing that?

    • albundy
    • 1 year ago

    ohhhhh rise and fall…i see what you did there.

      • willmore
      • 1 year ago

      Finally?

    • fyo
    • 1 year ago

    But, wait, CTS told me these flaws couldn’t be patched. Ever. And that’s why they HAD to release the details without warning AMD. Somehow also why they HAD to work with a company known for publishing BS and shorting companies.

    Remember their price target on AMD? Zero.

      • K-L-Waster
      • 1 year ago

      I hate to break this to ya, but… sometimes people lie.

        • Klimax
        • 1 year ago

        And sometimes they underestimate.

        It will be interesting to see final tally.

      • stefem
      • 1 year ago

      Sorry, no offence, but you failed to read the AMD’s statement:
      [quote<]mitigating all of the CTS identified vulnerabilities on our EPYC™ platform as well as patches mitigating Chimera across all AMD platforms[/quote<] They are talking about mitigation, not solution of vulnerabilities, those word has not the same meanings, especially in IT security

    • MOSFET
    • 1 year ago

    My virtual machine was named RyzenFall way before this. Hurumph.

      • MileageMayVary
      • 1 year ago

      Hey! I didn’t get a “hurumph” outta that guy!

        • CuttinHobo
        • 1 year ago

        Give the mayor a harrumph!

    • gerryg
    • 1 year ago

    I’m wondering how many days it will be until the CTS Labs vulnerability is patched and they are eradicated.

    • brucethemoose
    • 1 year ago

    The short didn’t really work out, did it? AMD stock is up since the vulnerability was announced, AFAIK.

    Then again, Spectre/Meltdown didn’t hit Intel that hard. Security vulnerabilities don’t spook the market as much as missing or beating some analyst’s earnings predictions, though I suppose it might impact enterprise sales numbers a bit.

      • chuckula
      • 1 year ago

      If having a security vulnerability meant that a tech company was going to have its stock price crash, then Microsoft, Apple, Adobe, Oracle, etc. etc. etc. wouldn’t exist.

    • JosiahBradley
    • 1 year ago

    The “vulnerabilities” still require admin access and are basically art at this point. CTS Labs should be sued out of existence for being a hacking shill corp. Irresponsible security is just as bad as hacking. Also please stop using these silly names like Ryzenfall this is completely different from Meltdown and Spectre which are real vulnerabilities that can actually leak data and compromise a system remotely.

      • Questar
      • 1 year ago

      This would be used in a chained attack, you get admin through another vulnerability and then run this attack.

        • Takeshi7
        • 1 year ago

        But if you already have admin what do you need another vulnerability for?

          • brucethemoose
          • 1 year ago

          Even as an admin, AMD’s Secure Processor is not something you’re supposed to run arbitrary code on.

          • Questar
          • 1 year ago

          I probably phrased that wrong. Let’s go with privilege elevation.

          So you exploit a system with a privilege elevation attack, and then chain to this attack.

          The days of attackers using a single vulnerability are long gone.

          • TheRazorsEdge
          • 1 year ago

          Compromising the firmware gives you [i<]persistence[/i<]. Eventually, the victim will realize they're hacked, the antivirus will have newer signatures, or the system will be reimaged for some reason. Now your malware is gone--unless you're hiding in the firmware. Ryzenfall provides full access to disk, network, and system memory. This sort of malware is invisible to the operating system. It can access all memory, including stored passwords or crypto keys, and antivirus cannot possibly detect it. This is next-level bad, and it is very stupid on the part of any hardware/firmware developer.

          • Aether
          • 1 year ago

          Persistent undetectable access.

      • gerryg
      • 1 year ago

      Ryzenfinger? RyzenEye? Ryzenraker?

        • chuckula
        • 1 year ago

        RyZen Say RyZen Again?
        RyZen and Let RyzEn?
        License to RyZen?

        and of course the classic:
        From RyZen with Love?

          • Shobai
          • 1 year ago

          Simplify to “Ryzen Let Ryzen” ?

            • Captain Ned
            • 1 year ago

            Mojo??

            • Mr Bill
            • 1 year ago

            Bad Moon?

          • Mr Bill
          • 1 year ago

          The RyZen Who Loved Me?
          For Your RyZen Only?
          RyZen Never Dies?
          The RyZen Daylights?
          The RyZen is Not Enough?
          RyZen Another Day?
          Quantum of RyZen?

      • LostCat
      • 1 year ago

      If nothing else, they helped secure machines. For that at least I salute them.

Pin It on Pinterest

Share This