Start-up CTS Labs went public with the bugs in AMD’s chips last week, after giving the company less than a day’s notice
AMD has said it plans to release fixes for several bugs that were recently made public “in the coming weeks”.
The chip company released an initial assessment of the issues, in its first official update on the issues since they were announced by Israeli start-up CTS Labs in an unusual publicity campaign last week.
AMD said CTS gave it less than 24 hours’ notice before going public, a rare move in the computer security field.
The bugs could allow attackers who had already compromised a system to create advanced exploits, CTS said.
Mark Papermaster, AMD’s chief technology officer, said the company had completed its review of the bugs and was developing mitigations.
He said AMD would provide firmware patches through a BIOS update that would address the Masterkey, Fallout and Ryzenfall bugs, as well as a firmware fix for the Secure Processor (PSP).
The company said it doesn’t expect performance to be downgraded, a problem that arose with patches for the Meltdown and Spectre processor security issues affecting AMD, Intel and others that were disclosed earlier this year.
AMD said it is also working to address the Chimera bug, which affects the “Promontory” chipset used in some platforms.
Patches for Chimera are also to be released through a BIOS update, with no performance issues expected, Papermaster said.
“AMD is working with the third-party provider that designed and manufactured the ‘Promontory’ chipset on appropriate mitigations,” he wrote in a blog post.
‘No immediate risk’
AMD emphasised that the bugs are difficult to exploit, with all of them requiring administrator access.
“Any attacker gaining unauthorised administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research,” Papermaster wrote.
He referred to comments made last week by Dan Guido, chief executive of security firm Trail of Bits, which was hired to help verify CTS’ findings.
In those comments, Guido said the bugs presented “no immediate risk” because attackers would need time to develop tools to exploit them.
Papermaster added that the CTS bugs aren’t related to exploits disclosed by Google in January. At the time Google detailed how the Meltdown and Spectre flaws affected chips from Intel, AMD and ARM.
Do you know all about security? Try our quiz!