GALAX HOF Pro PCIe 4.0 NVMe review
How to: Firmware Update the AMD Radeon RX 5600 XT
MSI Radeon RX 5600 XT Gaming Z review
Sapphire Pulse Radeon RX 5600 XT OC review
ASUS STRIX Radeon RX 5600 XT TOP review
Gigabyte Radeon RX 5600 XT Gaming OC review
Arctic Liquid Freezer II 280 liquid cooler review
Promo: Windows 10 Pro licenses for under 10 USD
Team Group MP33 NVMe 512 GB SSD Review
ADATA SE800 1TB Portable SSD review
AMD has readied patches against MasterKey, Fallout, and Chimera vulnerabilities
AMD has finished up its patches for vulnerabilities that security company CTS Labs announced last month. The chip designer reports that the updates for, among others, Epyc chips are in the final phase of testing and should become available next month through a Firmware patch.
CTS Labs announced the bugs unexpectedly and without any warning a while ago, according to the security company, it would take many months to close the vulnerabilities. CTS recently once more contacted Toms Hardware to 'express their concern about the lack of updates from AMD regarding these vulnerabilities'. The company said it believed many of the vulnerabilities 'would take months to fix'. One of them, Chimera, would even require a hardware change.
According to AMD we can expect updates this month, AMD has explained to Tom's Hardware. Ecosystem partners should already have the new patches for internal testing with this response:
Within approximately 30 days of being notified by CTS Labs, AMD released patches to our ecosystem partners mitigating all of the CTS identified vulnerabilities on our EPYC platform as well as patches mitigating Chimera across all AMD platforms. These patches are in final testing with our ecosystem partners in advance of being released publicly. We remain on track to begin releasing patches to our ecosystem partners for the other products identified in the report this month. We expect these patches to be released publicly as our ecosystem partners complete their validation work.
Let us again reiterate, the vulnerabilities within the AMD systems require admin privileges and for most things, physical access to the hardware to modify things, thus a local exploit in a context where Admin Access Rights are needed.
Meanwhile, CTS labs pushed another document full of accusations, released May 1st this month (there's not a single word on Intel recent or upcoming Vulnerabilities on their websites, of course):
AMD has lowered Radeon 6850 pricing in the EU - 08/10/2011 08:47 AM
AMD has decided to lower the pricing for Radeon HD 6850 based graphics cards, which now have an MSRP of 129
AMD has 10-core CPUs in the pipeline - 07/26/2011 09:28 AM
Lots of processor nes the past few days alright, a new roadmap leaked which shows that AMD is planning 10-core processors for consumers, they are planned for 2012 already. The processors are part of ...
AMD has over 800.000 DX11 class GPUs shipped - 12/16/2009 05:16 AM
Interesting story over at Xbitlabs today. They claim that Advanced Micro Devices, said on Monday that it had shipped over 800 thousand of graphics processing units (GPUs) that support DirectX 11 appli...
Vananovion
Member
Posts: 89
Joined: 2017-08-31
Member
Posts: 89
Joined: 2017-08-31
#5543774 Posted on: 05/04/2018 08:53 AM
Is there still anyone who thinks this "security" company is concerned about anyones security? This was shady from the start and this kind of pestering and language only reinforces my doubts, even though the vulnerabilities are legitimate (but still quite useless for a potential attacker).
Kudos to AMD for handling this with grace.
Is there still anyone who thinks this "security" company is concerned about anyones security? This was shady from the start and this kind of pestering and language only reinforces my doubts, even though the vulnerabilities are legitimate (but still quite useless for a potential attacker).
Kudos to AMD for handling this with grace.
kd7
Senior Member
Posts: 151
Joined: 2014-03-22
Senior Member
Posts: 151
Joined: 2014-03-22
#5543781 Posted on: 05/04/2018 09:28 AM
LOL since when is secure encryption considered "security through obscurity"? And a "security" citing wikipedia articles? LOOOOL
LOL since when is secure encryption considered "security through obscurity"? And a "security" citing wikipedia articles? LOOOOL
jose2016
Member
Posts: 54
Joined: 2016-12-31
Member
Posts: 54
Joined: 2016-12-31
#5543782 Posted on: 05/04/2018 09:28 AM
I completely agree. #1 and #2
I completely agree. #1 and #2
386SX
Senior Member
Posts: 661
Joined: 2017-06-26
Senior Member
Posts: 661
Joined: 2017-06-26
#5543786 Posted on: 05/04/2018 09:56 AM
What does "CTS" stand for?:
Catch The Sperm
(It's a PC game btw.!)
I cannot hear it anymore TBH. CTS here, CTS there. Publishing a 0-day without notifiying the vendor first, adding pressure and false accusations, bragging about the vendor is "not able to fix it in several weeks (as we said)" and so on.
1.) When came the point where you are able to define exactly how long "several weeks" are? Several weeks could be 50 weeks and still would be "in time". It's like "I need some time.". This doesn't specify exactly in what time neither. "Some time" could be 5 minutes, it could be 50 years.
2.) The behaviour (0-day, pressure, etc.) rings a lot of bells in my head, but not in the way I think of a "security researcher" or "security professional", that goes more in the direction "blackhat", "unethical" or at last "attention w*ore".
AMD did nothing wrong here (at least I am unable to see any wrongdoing).
Bullsh!t-bingo at its finest!
Btw.: Could you call this "cyber mobbing"? All indicators of classical mobbing are there: it happens not only once and over a (meanwhile) long period of time; it is only meant to destroy the reputation of one (usually individual, this time a company); false accusations and other unehtical methods are used to fulfil the goal, etc. etc. => sounds like mobbing to me.
What do you guys think?
What does "CTS" stand for?:
Catch The Sperm
(It's a PC game btw.!)
I cannot hear it anymore TBH. CTS here, CTS there. Publishing a 0-day without notifiying the vendor first, adding pressure and false accusations, bragging about the vendor is "not able to fix it in several weeks (as we said)" and so on.
1.) When came the point where you are able to define exactly how long "several weeks" are? Several weeks could be 50 weeks and still would be "in time". It's like "I need some time.". This doesn't specify exactly in what time neither. "Some time" could be 5 minutes, it could be 50 years.
2.) The behaviour (0-day, pressure, etc.) rings a lot of bells in my head, but not in the way I think of a "security researcher" or "security professional", that goes more in the direction "blackhat", "unethical" or at last "attention w*ore".
AMD did nothing wrong here (at least I am unable to see any wrongdoing).
Bullsh!t-bingo at its finest!
Btw.: Could you call this "cyber mobbing"? All indicators of classical mobbing are there: it happens not only once and over a (meanwhile) long period of time; it is only meant to destroy the reputation of one (usually individual, this time a company); false accusations and other unehtical methods are used to fulfil the goal, etc. etc. => sounds like mobbing to me.
What do you guys think?
Kaarme
Senior Member
Posts: 1757
Joined: 2013-03-10
Senior Member
Posts: 1757
Joined: 2013-03-10
#5543795 Posted on: 05/04/2018 10:53 AM
I'm surprised this CTS Labs even exists anymore. The folks behind it had apparently used various front company names to pull off stock market and other tricks in the past as well. I reckon this case targeting AMD is their biggest heist so far, and they aren't sure when to stop. Probably they didn't manage to make as much money as they hoped when they first published these "shocking vulnerabilities". I'm not sure even Intel would deign to deal with these small-time crooks. Intel bosses might feel like there's no soap so strong it the world that they could ever wash the stench off if they shook hands these CTS Labs people.
I'm surprised this CTS Labs even exists anymore. The folks behind it had apparently used various front company names to pull off stock market and other tricks in the past as well. I reckon this case targeting AMD is their biggest heist so far, and they aren't sure when to stop. Probably they didn't manage to make as much money as they hoped when they first published these "shocking vulnerabilities". I'm not sure even Intel would deign to deal with these small-time crooks. Intel bosses might feel like there's no soap so strong it the world that they could ever wash the stench off if they shook hands these CTS Labs people.
Fox2232
Senior Member
Posts: 9864
Joined: 2012-07-20
Senior Member
Posts: 9864
Joined: 2012-07-20
#5543802 Posted on: 05/04/2018 12:04 PM
If only they were less stupid... Again, all they want it this being discussed in earnings call. All they care about is panic money.
If only they were less stupid... Again, all they want it this being discussed in earnings call. All they care about is panic money.
AsiJu
Senior Member
Posts: 5878
Joined: 2010-10-16
Senior Member
Posts: 5878
Joined: 2010-10-16
#5543804 Posted on: 05/04/2018 12:15 PM
What, CTS Labs is still there?
Also gotta love this:
AMD:
"... as well as patches mitigating Chimera across all AMD platforms..."
CTS Labs:
"... CHIMERA cannot be directly fixed..."
also as pointed out above any "security" company citing Wikipedia articles as reference loses all credibility.
Last, I really fail to see the point of that document. They accuse AMD of not releasing patches, in a couple of weeks, for vulnerabilities they themselves said would take months to fix?
AMD should sue those mofos for all they're worth.
What, CTS Labs is still there?
Also gotta love this:
AMD:
"... as well as patches mitigating Chimera across all AMD platforms..."
CTS Labs:
"... CHIMERA cannot be directly fixed..."
also as pointed out above any "security" company citing Wikipedia articles as reference loses all credibility.
Last, I really fail to see the point of that document. They accuse AMD of not releasing patches, in a couple of weeks, for vulnerabilities they themselves said would take months to fix?
AMD should sue those mofos for all they're worth.
airbud7
Senior Member
Posts: 7662
Joined: 2011-07-20
Senior Member
Posts: 7662
Joined: 2011-07-20
#5543809 Posted on: 05/04/2018 12:45 PM
"The vulnerabilities within the AMD systems require admin privileges and for most things, physical access to the hardware to modify things"
So...
If a hacker comes knocking on your door holding a thumb drive...Kick him in the n*tz!
"The vulnerabilities within the AMD systems require admin privileges and for most things, physical access to the hardware to modify things"
So...
If a hacker comes knocking on your door holding a thumb drive...Kick him in the n*tz!
Sempaii
Senior Member
Posts: 106
Joined: 2014-10-16
Senior Member
Posts: 106
Joined: 2014-10-16
#5543820 Posted on: 05/04/2018 01:29 PM
Dare i ask why they even get there words on the page ;-)
Smells alot !
Dare i ask why they even get there words on the page ;-)
Smells alot !
Vmhasegawa
Member
Posts: 33
Joined: 2015-09-10
Member
Posts: 33
Joined: 2015-09-10
#5543839 Posted on: 05/04/2018 02:32 PM
Wow. Just... Wow. I mean, with Spectre and Meltdown we've seen just long it took for both Intel and AMD to release the patches (plus the mess Intel had with it's patches earlier that had to be halted).
So not only they don't give a heads up about the "issues", but 6 weeks after disclosing "serious" and "dangerous" "threats" that would take months to fix, (and yeah, quote marks for each and every one of those words) they expect the patches to be ready and deployed?
While I do wait and expect patches to solve every security issue, I rather also have them fully tested and glitch free (yeah, I'm poiting my finger at you Microsoft).
So Yeah, professionalism at it's best. I hope in the near future whenever the words CTS and security show up, there's also a big sign about WHAT YOU SHOULD NOT DO WHILE YOU'RE A FREAKING SECURITY RESEARCH TEAM. Unless of course, unprofessionalism and biased research is what you're up to. Or... someone else is funding you.
Wow. Just... Wow. I mean, with Spectre and Meltdown we've seen just long it took for both Intel and AMD to release the patches (plus the mess Intel had with it's patches earlier that had to be halted).
So not only they don't give a heads up about the "issues", but 6 weeks after disclosing "serious" and "dangerous" "threats" that would take months to fix, (and yeah, quote marks for each and every one of those words) they expect the patches to be ready and deployed?
While I do wait and expect patches to solve every security issue, I rather also have them fully tested and glitch free (yeah, I'm poiting my finger at you Microsoft).
So Yeah, professionalism at it's best. I hope in the near future whenever the words CTS and security show up, there's also a big sign about WHAT YOU SHOULD NOT DO WHILE YOU'RE A FREAKING SECURITY RESEARCH TEAM. Unless of course, unprofessionalism and biased research is what you're up to. Or... someone else is funding you.
chispy
Senior Member
Posts: 8758
Joined: 2006-10-29
Senior Member
Posts: 8758
Joined: 2006-10-29
#5543840 Posted on: 05/04/2018 02:34 PM
CTS Labs
sheeeshhh ... Money Driven Scammers and Not a Trusted Security Firm , may Karma take care of them !
CTS Labs
sheeeshhh ... Money Driven Scammers and Not a Trusted Security Firm , may Karma take care of them !
Silva
Senior Member
Posts: 1022
Joined: 2013-06-04
Senior Member
Posts: 1022
Joined: 2013-06-04
#5543850 Posted on: 05/04/2018 02:57 PM
Exposing security flaws without talking with the company first and giving it time to fix it isn't good business practices.
Threatening just exposes the nature of the attack, it was planed and money driven.
I laughed my ass when they said the vulnerabilities need physical access to exploit.
Only now are we knowing of more Spectre vulnerabilities, but they've been reported to Intel months ago.
I understand why journalists report this news, but sometimes I wish they would let them die in the void.
Exposing security flaws without talking with the company first and giving it time to fix it isn't good business practices.
Threatening just exposes the nature of the attack, it was planed and money driven.
I laughed my ass when they said the vulnerabilities need physical access to exploit.
Only now are we knowing of more Spectre vulnerabilities, but they've been reported to Intel months ago.
I understand why journalists report this news, but sometimes I wish they would let them die in the void.
SSD_PRO
Senior Member
Posts: 172
Joined: 2013-02-07
Senior Member
Posts: 172
Joined: 2013-02-07
#5543867 Posted on: 05/04/2018 03:47 PM
I think the real headline here is CTS continues to validate its status as an unprofessional entity but their reported exploits indeed proved legitimate. No fault to AMD any more than fault to Intel for continual work to exploit their hardware for nefarious purposes.
I think the real headline here is CTS continues to validate its status as an unprofessional entity but their reported exploits indeed proved legitimate. No fault to AMD any more than fault to Intel for continual work to exploit their hardware for nefarious purposes.
C0BaLt
Junior Member
Posts: 1
Joined: 2018-05-04
Junior Member
Posts: 1
Joined: 2018-05-04
#5543877 Posted on: 05/04/2018 04:11 PM
I really wouldn't be surprised that Cambridge Analytica is behind this. Better said, that someone payed Cambridge Analytica to do their dirty work. Recently some very concerning stuff has come to light regarding their business. LINK:
Or perhaps some other company with similar business model. It's pretty scary what kind of damage you can do to your opponent using modern technologies and internet. And it's even scarier knowing that there are companies specialized in doing your dirty work if you are willing to pay enough.
I really wouldn't be surprised that Cambridge Analytica is behind this. Better said, that someone payed Cambridge Analytica to do their dirty work. Recently some very concerning stuff has come to light regarding their business. LINK:
Or perhaps some other company with similar business model. It's pretty scary what kind of damage you can do to your opponent using modern technologies and internet. And it's even scarier knowing that there are companies specialized in doing your dirty work if you are willing to pay enough.
Click here to post a comment for this news story on the message forum.
Member
Posts: 48
Joined: 2017-05-08
They might want to disclose how much Intel paid CTS Labs... That would be really interesting to know. Is it 1 mil $, is it 10 mil $, is it 100 mil $ ???
It is so obvious and so directly targeted that nobody is interested in what they found.