13 flaws found in AMD processors, AMD given little warning

It’s probably a good thing AMD didn’t rub Intel’s nose in the Meltdown and Spectre flaws too much because boy, would it have a doosy of a payback coming to it. A security firm in Israel has found 13 critical vulnerabilities spread across four separate classes that affect AMD’s hot new Ryzen desktop and Epyc server processors.

However, the handling of the disclosure is getting a lot of attention, and none of it good. The company, CTS-Labs of Israel, gave AMD just 24 hours notice of its plans to disclose the vulnerabilities. Typically companies get 90 days to get their arms around a problem, and Google, which unearthed Meltdown, gave Intel six months.

Yet CTS-Labs went through the trouble of setting up a dedicated website, AMDFlaws.com, to host its findings and white papers. Mind you, there isn’t much for supporting evidence, just claims, and no independent verification. Its white paper is replete with disclaimers, like this:

The report and all statements contained herein are opinions of CTS and are not statements of fact. To the best of our ability and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable. Our opinions are held in good faith, and we have based them upon publicly available facts and evidence collected and analyzed, which we set out in our research report to support our opinions. We conducted research and analysis based on public information in a manner that any person could have done if they had been interested in doing so. You can publicly access any piece of evidence cited in this report or that we relied on to write this report.  Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports.  Any other organizations named in this website have not confirmed the accuracy or determined the adequacy of its contents.

The result is CTS-Labs is getting roasted on Twitter, and rightfully so. The veracity of its claims will be proven in the coming days. Most everyone agrees, though, that CTS-Labs’ handling of the matter was awful.

Leave a Reply

Your email address will not be published. Required fields are marked *