But the controversy extends beyond the security vulnerabilities. Critics note that CTS only gave AMD 24-hour notice prior to publicly disclosing the security vulnerabilities. In more traditional scenarios, vendors often receive up to 90 days prior notice to public disclosure of vulnerabilities. CTS defended the short notice in a statement from the company's CTO.
A Closer Look at the AMD Processor Vulnerabilities
CTS identified the following AMD processor security vulnerabilities:
- Chimera: Allows hackers to launch sophisticated cyberattacks and evade endpoint security solutions.
- Fallout: Allows cyberattackers to read from and write to protected memory areas, including SMRAM and Windows Credential Guard isolated memory (VTL-1).
- Masterkey: Allows cyberattackers to infiltrate an AMD Secure Processor.
- Ryzenfall: Allows malicious code to take complete control over an AMD Secure Processor.
The aforementioned security vulnerabilities affect Ryzen and EPYC processors found on AMD laptops, servers and workstations, CTS stated. They also allow cyberattackers to steal network credentials, spread malware via corporate networks and engage in persistent cyber espionage.
CTS Statement on Responsible Disclosure
The current structure of "Responsible Disclosure" suggests that cybersecurity researchers and vendors work together to mitigate security vulnerabilities. Yet this model "has a very serious problem," CTS Chief Technology Officer Ilia Luk-Zilberman said in a prepared statement.
Under the current Responsible Disclosure model, a vendor generally is provided sufficient time to research a security flaw and determine the best way to address it. But it is "extremely rare" that a vendor will notify customers about a security flaw before it corrects the issue, Luk-Zilberman stated.
Ultimately, CTS notified the public "on day 0" about the AMD processor vulnerabilities and their impact, according to Luk-Zilberman. This enabled CTS to "put the full public pressure on the vendor from the get-go ... to never put customers at risk," Luk-Zilberman noted.
CTS has a good faith belief in its AMD processor security vulnerability analysis and believes the analysis is objective and unbiased, the company indicated in its security advisory on AMD processors. Conversely, CTS acknowledged that it "may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of reports."
How to Address the AMD Security Flaws
CTS has contacted cybersecurity industry experts to find out how to address the AMD security flaws, the company said.
In addition, CTS recommends those who may be affected by the security vulnerabilities reach out to AMD, and the company will provide updates on AMD processor security vulnerability fixes and mitigations.