News New AMD Side Channel Attacks Discovered, Impacts Zen Architecture

[JamesSneed]

They did have to modify the kernel to pull this off. So sure its a vulnerability but in the real world has virtually no application.

 

[GetSmart]

If this vulnerability can be exploited via Javascript in browsers then physical access is not required. Just a visit to a malicious website will do, in other words can be remote access. Also the funding has been explained in Toms Hardware's own article. The researchers are the same ones who discovered multiple Intel vulnerabilities like Meltdown.

 

[AlistairAB]

I mean look at these AMD individuals response....it seem likes they saying "at least better than Intel security flaws"..."Intel is worst"....."Intel paid security researchers to find AMD security flaws"....."amd is less affected because it popular". I swear you see these on forums and hardware articles soon.

What matter is? AMD had 90 days+ to fix and nothing. After Ryzen releases, AMD officials say they the up most best security out there (this right after multiple intel security issue discoveries). These are 2 security issue on AMD products that are major because it much simpler to hack more than all Intel Security issue.

You're ranting about this stuff, it says right in the article that this "exploit" requires the use of previous "exploits" that were patched and are not a risk.

 

[GetSmart]

Looking at the Take Away paper, if the author is already proposing countermeasures then these exploits have not been patched yet.

 

[joeblowsmynose]

And how many comments have we seen in the last couple of years with:
"I'll never buy Intel again because of these vulnerabilities!" Spectre, Metldown, etc.
...

In total, I have seen zero of those. Feel free to point some out.

I don't think anyone really cares much about spectre vulnerabilities anyway, in both camps. Its just way too hard to exploit and if someone has their sights set on you so bad that its worth it to them, you probably have other more concerning issues to deal with.

A side note ... haha look at the trolls come running out to comment ... hilarious. Like they've just been waiting for months and months and saving up emotional vomit in hopes of seeing another AMD vulnerability? ... good Sunday afternoon entertainment at least.

 

[USAFRet]

In total, I have seen zero of those. Feel free to point some out.

I don't think anyone really cares much about spectre vulnerabilities anyway, in both camps. Its just way too hard to exploit and if someone has their sights set on you so bad that its worth it to them, you probably have other more concerning issues to deal with.

I'm not going to search around, but yes...I've seen some fanboys with that mindset.
But they were probably anti-Intel fanboys before...lol

And I agree with you about the difficulty of exploiting these.
I've yet to see any evidence of a system in the wild actually being exploited via one of these microcode issues.

 

[drea.drechsler]

A

For those of you who thought Intel's were the only processors researched for bugs.

Yeah just stop picking on poor Intel. Although, it may be getting downright boring... anybody seen this one?

https://www.techspot.com/news/84282...lity-allows-hackers-break-encryption-drm.html

 

[joeblowsmynose]

I'm not going to search around, but yes...I've seen some fanboys with that mindset.
...

Likely just trolls; mind them no heed.

 

[jkflipflop98]

Intels largest R+D base is in Israel.

That isn't true. Our biggest R&D facility by far is here in sunny Hillsboro, Oregon.

 

[SkyBill40]

I'm honestly surprised that some of the posts in here haven't been scrubbed for being unproductive and unnecessarily inflammatory for no other purpose than just being argumentative.

Seriously, guys. Keep it on point and legit... or don't comment at all. There's no point in posting trash unless you're working on inflating your post count.

 

[valeman2012]

Counterpoint:
"too many intel fanboys"

too many intel fanboys

so this is a real problem. There are a lot of people who will recommend an expensive intel CPU when there are perfectly decent AMD ones that will do better whilst being cheaper.I am neutral about processors,but I will say one thing. AMD wrecks face (pardon the expression) at lower budget CPUs...

forums.tomshardware.com

There really no Intel fanboys when comes to AMD related articles, but there are loads of AMD users followed what AMD say in the past very closely.

Intel users are still enjoying they gaming performance.

AMD should stop focusing on getting people excited with low prices and other antics. AMD like to plays "downplays". Focus on better security just like Intel. It pretty simple.

 

[techy1966]

Lets face it all of these so called exploits which will never happen in the real world because lets face it most of the guys that write exploits are not smart enough to know the inner workings of a CPU but yet these researchers keep on spewing out exploits they have found and then review sites say things like of a flaw was found etc etc.

When they say things like we reverse engineered this or that and wrote code to try to exploit the CPU I just laugh and think yea yea all they are worried about is job security and getting more funding.

Here is something to think about I turned off all of the securuty patches MS has pushed onto our systems to fight somehting that is never gonna happen but all of those patches do tend to slow your system down. Anyway with that said my system is fast and virus and exploit free. I handle my own security by doing my own scans on the system and know everything is fine.

As I said all of these researcher care about is getting their names splashed all over the web and securing more funding and to make sure they made their jobs secure. Also as I said 99% of the malware code writers out there have very little if any clue on the inner workings of a CPU let alone make code to exploit these functions. If these researcher were to shut up about it no one including the exploiters would have a clue that there were parts of the CPU exploitable like this. Better yet maybe all of the web sites that post on these found exploits just refuse to write about it then maybe these researchers would have no outlet to make them famous to the world. Just my opinion even though it was rather long winded.

 

[sin43k]

Researchers have got it running in javascript and the code will normally be on github. Hopefully this is patch-able and won't hit performance too much. Paper here, https://mlq.me/download/takeaway.pdf

Thanks!

 

[Ninjawithagun]

And to no surprise, most people commenting here didn't read the entire article, especially the fine print. Bottom line, these vulnerabilities are nothing compared to those that were found on the Intel CPUs. Only fragments of meta data can be collected from the vulnerabilities of the AMD CPUs, which doesn't mean much compared to the full access vulnerabilities of the Intel CPUs. Nice try by Intel to destroy the reputation of AMD, but it won't work. And yet, I'm a consumer that owns two gaming systems; one with an AMD CPU and one with an Intel CPU. These vulnerabilities don't mean squat to me. I game, nothing more, nothing less. What are they going to do, steal and exploit my game saves? LMAO!

 

[SHaines]

Please keep our forums rules in mind when posting. It's definitely possible to express concerns about the severity of an issue with attacking other forum users with insults and name calling.

 

[Rogue Leader]

Why are the original article and research funded by Intel? And why aren't all Ryzen CPUs affected like 1800X and 3800X?

This article doesn't seem solid. Look at facebook comments about this article, its funded by Intel and apparently you need physical access to exploit the PC so it not a security risk for home users.

Let me post this for everyone to see because this seems to be a continual comment. This issue is literally addressed IN THE ARTICLE. If you are going to comment here at least read the article

However, as spotted by Hardware Unboxed, the paper also says that "Additional funding was provided by generous gifts from Intel. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of the funding parties."

This has, of course, generated plenty of attention, but it is noteworthy that the study's Intel-funded co-authors have also disclosed Intel vulnerabilities in the past (10 on Intel, including Spectre, Meltdown, and Zombieload, three on ARM, two on AMD, and one on IBM). The lead researcher also responded on Twitter, disclosing that Intel funds some of its students and the university fully discloses the sources of its funding. He also noted that Intel doesn't restrict the universities' academic freedom and independence, and that Intel has funded the program for two years.

Intel has disclosed, as recently as two weeks ago, that it funds research into product security and also awards prizes to researchers for finding holes in its architectures (Intel Bug Bounty program PDF), so this doesn't appear to be a case of Intel directly funding research against its competitor. The paper also engages in responsible disclosure of its funding sources, which makes any nefarious intent questionable. To cover the bases, we've also reached out to Intel for comment on the matter. According to the paper, Intel has already patched a similar vulnerability in its processors.

Continual accusations that Tom's Hardware was somehow paid off to write this article will be eliminated.

 

[robwright]

this is a specter style attack, which means it requires physical access to the computer, adjustments to the bios and administrative passwords to work.

In short it's a nothing burger. that's not to say AMD isn't vulnerable to security risks, but this one is a whole lot of nothing. because if someone has that much access to the computer, they don't need a virus.

It's quite literally NOT a Spectre attack. See the Tweet below from one of the researchers:

https://twitter.com/x/status/1236426596522831872

View: https://twitter.com/misc0110/status/1236426596522831872?s=20


Also, and more importantly, nowhere in the white paper does it mention that physical access to a victim's system is required. In fact, the attack scenarios in the paper describe the opposite -- they use Javascript in browsers to break ASLR, which is arguably the most serious attack scenario.

 

[robwright]

There are ZERO real world exploits for any of the vulnerabilities - they are lab tests and are not exploitable in the wild... it's not like it's a piece of malware. This goes for Intel and AMD. If you allow someone unfettered physical access to your server in the real world - you need to look for another job.

Why are people mischaracterizing these attacks as needing physical access? They don't. Nowhere in the article, or -- more importantly -- the research paper does it say that physical access is required. So where are people getting this from?

And no, the attacks aren't "lab tests." They are very much exploitable.

 

[joeblowsmynose]

AMD should stop focusing on getting people excited with low prices and other antics.

... there's literally only one type of person who would be disappointed enough with competitor's lower price and greatly better price/performance ratio, to call it an "antic" ... only one label is appropriate for this ... only one, and it starts with an "F" and ends with a "anboi" ...

Come'on man ... Good pricing on a product is an "antic"? Don't be ludicrous.

 

[King_V]

Its alarming and i betting these amd individuals would say "this discovery was paid by Intel" on community forums in order to cover their major disappointment of being wrong.

This statement is trolling, and has no place in this discussion.

 

[joeblowsmynose]

If this vulnerability can be exploited via Javascript in browsers then physical access is not required. Just a visit to a malicious website will do, in other words can be remote access. Also the funding has been explained in Toms Hardware's own article. The researchers are the same ones who discovered multiple Intel vulnerabilities like Meltdown.

The researchers referred to Intel "gifts" that "funded" the research. At the same time, who cares if Intel "incentivizes" researcher to try to find things with AMD or ARM processors .... ?

As long as no one tries to emulate the CTS labs / Viceroy scandal, and no one is making up blatant lies about these things, then the net end result will be more secure processors for everyone. Who doesn't want more secure processors across the board?

Most of these exploits (including Intel's) are so hard to use anyway (compared to other methods), that the "hacker" would likely only try it as a last resort and the motivation they have of trying to get something would have to be so high that its likely that these people know you, and you are being targeted for some specific purpose, which means you probably have bigger problems.

The only people who really need to care are major data centers, and they'll apply the needed patches, and no one else will, just like has been happening for years ... nothing much has changed.

 

[joeblowsmynose]

... or perhaps they doing these things on purpose. Who knows

In light of that statement, I do find it interesting that the US gov't has given Intel almost 4 billion dollars in financial "support". We all know Intel barely makes any money, so I guess the government was just trying to ... wait, that's not right, Intel makes billions and billions and billions.

Why did the US government give them that huge amount of cash? "Look here son, we're gonna need some backdoors, see? Here's a little incentive to get you started ..." Just a thought, but who really knows for sure?

 

[King_V]

In light of that statement, I do find it interesting that the US gov't has given Intel almost 4 billion dollars in financial "support". We all know Intel barely makes any money, so I guess the government was just trying to ... wait, that's not right, Intel makes billions and billions and billions.

Why did the US government give them that huge amount of cash? "Look here son, we're gonna need some backdoors, see? Here's a little incentive to get you started ..." Just a thought, but who really knows for sure?

I'm not sure that I put a huge amount of stock in the second paragraph, just because, the way things are in the US, "Intel makes billions and billions and billions" is just about all the incentive needed to just hand them more money.

 

[joeblowsmynose]

I'm not sure that I put a huge amount of stock in the second paragraph, just because, the way things are in the US, "Intel makes billions and billions and billions" is just about all the incentive needed to just hand them more money.

You mean the "rich" usually are the ones that end up with the handouts? Lol ... yeah it sure seems that way.

There has to be proper motivation though ... Shell (the oil company) and Alcoa (the aluminum company) are also stinkin' rich and also received US gov't money ... it all does seem a bit odd ...

 

[King_V]

You mean the "rich" usually are the ones that end up with the handouts? Lol ... yeah it sure seems that way.

There has to be proper motivation though ... Shell (the oil company) and Alcoa (the aluminum company) are also stinkin' rich and also received US gov't money ... it all does seem a bit odd ...

Sure, there's plenty of motivation: "We'll make some very large contributions to your . . ahem . . campaign . . and if you make sure certain large sums come to us, we will make it very worth your while in further . . ahem . . contributions."