News AMD discloses slew of high severity security vulnerabilities for Zen CPUs that attack BIOS chips — updates aim to patch bugs, finally fix Zenbleed

Page 2 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Status
Not open for further replies.

Sleepy_Hollowed

Distinguished
Jan 1, 2017
535
228
19,270
Are these the type of "vulnerabilities" where an attacker basically needs to already have access to your system to take advantage of them?

If not, could someone more knowledgeable on this type of thing give an example scenario of how an unsuspecting user could fall victim to one of these vulnerabilities?
No, if you read the article, Zenbleed for example, which is fixed with these, is completely possible to do it remotely.
 

passivecool

Distinguished
Jul 18, 2017
90
58
18,620
Wondering the same thing. I generally don't like to update my BIOS if I don't need to, so I'd like to know if I really should or not.
Because if the hacker has to physically be sitting at my PC, here in my bedroom, then I've got much bigger problems to worry about than being hacked.
hacker would also require a patch: on the back of their head.
 
  • Like
Reactions: AgentBirdnest

torbjorn.lindgren

Honorable
Jan 13, 2019
23
22
10,525
Are these the type of "vulnerabilities" where an attacker basically needs to already have access to your system to take advantage of them?

If not, could someone more knowledgeable on this type of thing give an example scenario of how an unsuspecting user could fall victim to one of these vulnerabilities?
It's very useful for attackers to be able to step up from "run program as non-privileged user" to "can install root kit" or in one case it looks like it can likely be used to install a root kit in UEFI/BIOS where it survives even a "rip out SSD, install new, install new OS". We're talking "buy new motherboard" level!

MOST serious attacks consists of a chain of different vulnerabilities and the early ones are far more numerous, so finding a "severe local" vulnerability like these are often the key to make a successful attack rather than just a CVE entry.

Since it requires the program to run locally there's a significant threshold to be able to exploit it, but it's an very important since it converts a bad situation into potentially "I hope you had up to date backups, and is willing to buy some new hardware".

It's also a big problem even without any other exploits in many Corporate scenarios where the user often doesn't have much access to the machine, the IT department installs and manage all software on the machine. Think banking or the financial sector for the most extreme examples.
 
Dec 31, 2023
76
18
35
Once upon a time BIOS updates were as rare as hen's teeth and only then done to enable some additional functionality. I seem to recall overcoming HDD capacity limits being one such reason.

These days BIOS updates should be regarded as somewhat analogous to Microsoft's patch Tuesdays. It's not 1995 any more; sitting on an old BIOS version might not be the smart play.
 
Breaking News: Hackers can physically access your computer locally if you invite them into your home and give them your password willingly.

Computer manufacturers have issued a mitigation requiring users to answer a Captcha correctly after password entry.

More breaking news: Captcha has determined computer owners to be hackers after widespread failure to identify the tiles in a picture of the ocean surface that contain submerged submarines.
Brilliant :ROFLMAO: Love it!
 

Pierce2623

Prominent
Dec 3, 2023
428
313
560
Wondering the same thing. I generally don't like to update my BIOS if I don't need to, so I'd like to know if I really should or not.
Because if the hacker has to physically be sitting at my PC, here in my bedroom, then I've got much bigger problems to worry about than being hacked.
Exactly. Nobody has access to my system.(even wifey doesn’t even care to know the password). Why would I do this knowing I’ll probably be giving up performance and introducing some sort of micro stutter like these fixes always seem to do in games?
 

Pierce2623

Prominent
Dec 3, 2023
428
313
560
Once upon a time BIOS updates were as rare as hen's teeth and only then done to enable some additional functionality. I seem to recall overcoming HDD capacity limits being one such reason.

These days BIOS updates should be regarded as somewhat analogous to Microsoft's patch Tuesdays. It's not 1995 any more; sitting on an old BIOS version might not be the smart play.
I disagree. Both AMD and Intel have gotten to where these mitigations ALWAYS cost performance. Nobody has physical access to my machine but me. I’m completely safe.
 

snemarch

Distinguished
Feb 2, 2010
73
67
18,610
I disagree. Both AMD and Intel have gotten to where these mitigations ALWAYS cost performance. Nobody has physical access to my machine but me. I’m completely safe.
Mitigating flaws like meltdown and spectre tends to come with performance penalties, flaws in the write protection of UEFI flash probably won't.

It doesn't sound like physical access is needed – as I mentioned earlier, at least one of the flaws just requires local code execution with administrative privileges. There's several ways to achieve that without physical access :)
 

TJ Hooker

Titan
Ambassador
Yeah, my understanding is that the trend of mitigations resulting in performance hits is because most of the high profile vulnerabilities in the last while (starting with spectre/meltdown, IIRC) related to speculative execution. Effective speculative execution plays a significant part in IPC/performance, so changing that behavior was much more likely to negatively impact performance.

These new AMD vulnerabilities don't seem to be related to speculative execution though, and therefore their mitigations shouldn't be assumed to have similar performance penalties as those for spectre and co.
 
  • Like
Reactions: snemarch
Status
Not open for further replies.