• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

AMD confirms CTS Labs claimed vulnerabilities, patches are on their way in coming weeks (no performance impact)

Mugatu

Member
Didn't see this posted but I remember a lot of pushback saying all these were BS and either stock manipulation or paid for by competitors. Turns out it was true.



https://www.pcworld.com/article/326...l-be-fixed-soon-via-routine-bios-updates.html

https://www.amd.com/en/corporate/security-updates

I think more important is the letter from CTS Labs' CTO. Still not sure how I feel about the lack of notice to AMD but I kind of see their point, I'd hate for tech to degenerate into the auto industry where often recalls don't occur until individuals sue companies due to losses so I sort of see his point.

https://safefirmware.com/CTO+Letter.pdf

Responsible Disclosure
I know this is an extremely heated topic for debate, where everyone has a strong opinion. Unfortunately,
I also have a strong opinion on this topic.

I think that the current structure of “Responsible Disclosure” has a very serious problem. If a researcherfinds a vulnerability, this model suggests that the researcher and the vendor work together to buildmitigations, with some time limit (30/45/90 days), at the end of which the researcher will go out with thevulnerabilities. The time limit is meant to hasten the vendor to fix the issues.

The main problem in my eyes with this model is that during these 30/45/90 days, it’s up to the vendor ifit wants to alert the customers that there is a problem. And as far as I’ve seen, it is extremely rare thatthe vendor will come out ahead of time notifying the customers – “We have problems that put you at risk,
we’re working on it”. Almost always it’s post-factum – “We had problems, here’s the patch – no need to
worry”.

The second problem is - if the vendor doesn’t fix it in time – what then? The researcher goes public? Withthe technical details and exploits? Putting customers at risk? How we have accepted this mode ofoperation is beyond me, that researchers advertise at the end of the time limit the technical details of thevulnerabilities “because” the vendor didn’t respond. Why should the customers pay for the vendor’s lackof actions. I understand – this is the model today and people follow suit, but I think we can do better.

I think that a better way, would be to notify the public on day 0 that there are vulnerabilities and what isthe impact. To notify the public and the vendor together. And not to disclose the actual technical detailsever unless it’s already fixed. To put the full public pressure on the vendor from the get go, but to neverput customers at risk.

This model has a huge problem; how can you convince the public you are telling the truth without thetechnical details. And we have been paying that price of disbelief in the past 24h. The solution we cameup with is a third party validation, like the one we did with Dan from trailofbits. In retrospect, we wouldhave done this with 5 third party validators to remove any doubts. A lesson for next time.
 

Makariel

Member
True or not, the way they presented the findings sounded like the "ranting of a lunatic" ((c) GamersNexus for that quote) and the criticism on responsible disclosure is BS in my opinion. The reason for the 30/45/90 days is so that the companies have time to patch before the vulnerabilities can be used for nefarious purpose. Calling the press before notifying the company is just bad form, and CTS being shy about disclosing potential financial benefit as result of this release doesn't help.
 
Top Bottom