News AMD Chipset Vulnerability Leaks Passwords, Patch Available

[gdmaclew]

Understood but the difference in our bios is most likely why you see a difference on your x570 board. And why not go straight to Zen 3 for your upgrade instead of going to zen 2?

Updated BIOS to the latest (4021) and Device Manager still shows AMP PSP 3.0 Device instead of AMP PSP 11.0 Device.
Is this because I am running a 2700X CPU instead of a Zen2 or Zen3 CPU?
I know the PSP device is on the CPU die, right?

 

[hotaru.hino]

AMD Ryzen CPUs are indeed far, far less vulnerable than Intel's latest to date--they require a tiny fraction of the firmware and OS microcode patches of current Intel CPUs. No bias here--just fact. Hopefully when Intel decides to ship Alder's Lake most of those will have been resolved. It seems like people start repeating the same old "vulnerabilities" for Ryzen/Epyc in order to create the appearance of AMD vulnerabilities that aren't actually there...I've seen this story twice now on Tom's. So, Caveat Emptor...

It's because people don't poke at AMD processors are much as they poke at Intel's. That's probably changing, but finding secruity vulnerabilities doesn't happen overnight.

Also fun fact, if you go to the CVE listings website and look up "windows 10", you'll find it has a smaller list than if you look up "linux" from 2015 and on. I guess we shouldn't use Linux if there's so many vulnerabilities eh?

 

[waltc3]

If you are truly unbiased, then you also have to acknowledge that practically all blockbuster Intel flaws have next to no practical application in the real-world. The fixes are only relevant to places that need ultra-secure servers where even a remote chance of known potential exploit getting used no matter how low the chance of success before getting detected might be isn't an option.

The fact that I guess is deliberately missed by people trying to pretend that the Windows microcode patching Intel has done for its current CPUs simply isn't important is this: AMD's Ryzen and Epyc CPU architectures are, compared to Intel's existing architectures, practically brand new--even though they are already years old. That's why there's this huge security-hole difference between the CPUs made by the two companies--when AMD designed Ryzen/Epyc they also designed the CPUs for security from the ground up--so they are very, very fast as well as very, very secure contrasted with Intel's current CPU offerings which all in some fashion or other borrow from previous Intel architectures of the past--warts and all. What I meant in the original post about Alder Lake is that maybe when Intel finally ships its first brand-new, ground-up architecture CPUs--maybe Intel will find itself in the same boat! It stands to reason that Intel would do exactly as AMD has done and along with designing new CPUs would take care of the security holes, too, at the same time. I would be very surprised if Intel chose to bring along a bunch of baggage from the past when there's no reason to do so.

The only thing I can say about CPU flaws, wherever they may occur, is that if either Intel or AMD truly believed such flaws had no practical application in the real world then neither company would bother patching them because there'd be no real-world, practical reason to do so...

 

[waltc3]

It's because people don't poke at AMD processors are much as they poke at Intel's. That's probably changing, but finding secruity vulnerabilities doesn't happen overnight.

Also fun fact, if you go to the CVE listings website and look up "windows 10", you'll find it has a smaller list than if you look up "linux" from 2015 and on. I guess we shouldn't use Linux if there's so many vulnerabilities eh?

I wouldn't say that--I'd say, don't use Intel if security is on your mind...

 

[USAFRet]

I wouldn't say that--I'd say, don't use Intel if security is on your mind...

And what specific vulns are attributed to Intel vs AMD?
Spectre/Meltdown?

After worldwide discovery and info, there was a full 3 years before any exploit was seen in the wild.
Of course, patches were published long long before that.

Or did you mean something else?

 

[Chung Leong]

At some point we need to OSes with micro-kernel architecture. Letting hardware companies run code at the highest privilege level is really kinda insane. I mean, they aren't attracting the brightest and best programmers. Computers nowadays are fast enough that the performance penalty isn't noticeable. I'm sure the average user loses way more productivity from the constant stream of updates that has somehow become the norm.

 

[waltc3]

And what specific vulns are attributed to Intel vs AMD?
Spectre/Meltdown?

After worldwide discovery and info, there was a full 3 years before any exploit was seen in the wild.
Of course, patches were published long long before that.

Or did you mean something else?

Look, guy, if you want to pretend all those OS microcode patches aren't there, for holes carried forth from much older Intel architectures, then I don't have a problem with your personal beliefs and/or rationalizations. I'm not buying it...but I'm not putting you down for what you choose to believe. I think that the fact that Intel bothers to patch these holes is proof that the company doesn't share your point of view--there are holes that neither Intel or AMD think are important enough to patch, and so they don't patch them. I'm pretty sure that these companies only do security patching where they believe it to be practically necessary.

 

[USAFRet]

Look, guy, if you want to pretend all those OS microcode patches aren't there, for holes carried forth from much older Intel architectures, then I don't have a problem with your personal beliefs and/or rationalizations. I'm not buying it...but I'm not putting you down for what you choose to believe. I think that the fact that Intel bothers to patch these holes is proof that the company doesn't share your point of view--there are holes that neither Intel or AMD think are important enough to patch, and so they don't patch them. I'm pretty sure that these companies only do security patching where they believe it to be practically necessary.

No, I KNOW they are there. These patches exist.

Completely not sure what you're getting at.

Are there other vulnerabilities that have not been patched, or even discovered? Almost definitely, yes.
On both platforms.

 

[hotaru.hino]

I wouldn't say that--I'd say, don't use Intel if security is on your mind...

I've said this numerous times but when it comes to security, what you know is much more important than what you don't know. We don't know a lot about AMD processors or its platforms as much as we do about Intel's. Yes, there are a bunch of vulnerabilities against Intel, but:

• If I'm planning a new system, I'm going to get the latest version anyway. So it's likely those vulnerabilities are a non-issue now
• Even if the hardware is still affected by the vulnerability, the fact it has a CVE listing means it's been studied extensively enough that there are mitigations in place.
• If anything, we can also figure out if any of those vulnerabitlities have had a practical exploit. And by practical, I mean a script kiddie can exploit it. If it takes state sponsored hackers to exploit it, well I'm already hosed if I'm targeted by a state sponsored hacker.

The only reason why companies are building servers with AMD products isn't necessarily because AMD is safer. It's because AMD offers a more efficient platform. Any security it has is largely due to obscurity, and one of the bigger points of evidence to this is the fact that AMD still hasn't disclosed how their PSP works. If a company really wants to create a secure environment, they likely wouldn't use any x86 platform. They'll probably roll out a bespoke ARM or RISC-V system at this point.

I'm sure the average user loses way more productivity from the constant stream of updates that has somehow become the norm.

Those constant stream of updates aren't going to stop anyway. Sure, a micro-kernel OS would allow an online-update without restarting, but there are ways around that. I'm pretty sure macOS has a feature where if you have to reboot, you don't actually lose your desktop session. But nothing like that exists on Windows, or at least nothing to a degree where you can pick up where you left off.