AMD Says Patches Coming Soon For Chip Vulnerabilities ( 79

wiredmikey writes: After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) says patches are coming to address several security flaws in its chips. In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.


Linus Torvalds Slams CTS Labs Over AMD Vulnerability Report ( 115

Earlier this week, CTS Labs, a Tel Aviv-based cybersecurity startup claimed it has discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Linus Torvalds, Linux's creator doesn't buy it. ZDNet reports: Torvalds, in a Google+ discussion, wrote: "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem?' Yeah." Or, as a commenter put it on the same thread, "I just found a flaw in all of the hardware space. No device is secure: if you have physical access to a device, you can just pick it up and walk away. Am I a security expert yet?" CTS Labs claimed in an interview they gave AMD less than a day because they didn't think AMD could fix the problem for "many, many months, or even a year" anyway. Why would they possibly do this? For Torvalds: "It looks more like stock manipulation than a security advisory to me."

These are real bugs though. Dan Guido, CEO of Trail of Bits, a security company with a proven track-record, tweeted: "Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works." But, Guido also admitted, "Yes, all the flaws require admin [privileges] but all are flaws, not expected functionality." It's that last part that ticks Torvalds off. The Linux creator agrees these are bugs, but all the hype annoys the heck out of him. Are there bugs? Yes. Do they matter in the real world? No. They require a system administrator to be almost criminally negligent to work. To Torvalds, inflammatory security reports are annoying distractions from getting real work done.


Can AMD Vulnerabilities Be Used To Game the Stock Market? ( 106

Earlier this week, a little-known security firm called CTS Labs reported, what it claimed to be, severe vulnerabilities and backdoors in some AMD processors. While AMD looks into the matter, the story behind the researchers' discovery and the way they made it public has become a talking point in security circles. The researchers, who work for CTS Labs, only reported the flaws to AMD shortly before publishing their report online. Typically, researchers give companies a few weeks or even months to fix the issues before going public with their findings. To make things even stranger, a little bit over 30 minutes after CTS Labs published its report, a controversial financial firm called Viceroy Research published what they called an "obituary" for AMD. Motherboard reports: "We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries," Viceroy wrote in its report. CTS Labs seemed to hint that it too had a financial interest in the performance of AMD stock. "We may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," CTS Labs wrote in the legal disclaimer section of its report.

On Twitter, rumors started to swirl. Are the researchers trying to make money by betting that AMD's share price will go down due to the news of the vulnerabilities? Or, in Wall Street jargon, were CTS Labs and Viceroy trying to short sell AMD stock? Security researcher Arrigo Triulzi speculated that Viceroy and CTS Lab were profit sharing for shorting, while Facebook's chief security officer Alex Stamos warned against a future where security research is driven by short selling.

[...] There's no evidence that CTS Labs worked with Viceroy to short AMD. But something like that has happened before. In 2016, security research firm MedSec found vulnerabilities in pacemakers made by St. Jude Medical. In what was likely a first, MedSec partnered with hedge fund Muddy Waters to bet against St. Jude Medical's stock. For Adrian Sanabria, director of research at security firm Threatcare and a former analyst at 451 Research, where he covered the cybersecurity industry, trying to short based on vulnerabilities just doesn't make much sense. While it could work in theory and could become more common in the future, he said in a phone call, "I don't think we've seen enough evidence of security vulnerabilities really moving the stock for it to really become an issue."
Further reading: Linus Torvalds slams CTS Labs over AMD vulnerability report (ZDNet).

Researchers Find Critical Vulnerabilities in AMD's Ryzen and EPYC Processors, But They Gave the Chipmaker Only 24 Hours Before Making the Findings Public ( 195

Alfred Ng, reporting for CNET: Researchers have discovered critical security flaws in AMD chips that could allow attackers to access sensitive data from highly guarded processors across millions of devices. Particularly worrisome is the fact that the vulnerabilities lie in the so-called secure part of the processors -- typically where your device stores sensitive data like passwords and encryption keys. It's also where your processor makes sure nothing malicious is running when you start your computer. CTS-Labs, a security company based in Israel, announced Tuesday that its researchers had found 13 critical security vulnerabilities that would let attackers access data stored on AMD's Ryzen and EPYC processors, as well as install malware on them. Ryzen chips power desktop and laptop computers, while EPYC processors are found in servers. The researchers gave AMD less than 24 hours to look at the vulnerabilities and respond before publishing the report. Standard vulnerability disclosure calls for 90 days' notice so that companies have time to address flaws properly. An AMD spokesperson said, "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings," an AMD spokesman said. Zack Whittaker, a security reporter at CBS, said: Here's the catch: AMD had less than a day to look at the research. No wonder why its response is so vague.

Qarnot Unveils a Cryptocurrency Heater For Your Home ( 65

Qarnot, the French startup known for using Ryzen Pro processors to heat homes and offices for free, is unveiling a new computing heater specifically made for cryptocurrency mining. "The QC1 is a heater for your home that features a passive computer inside," reports TechCrunch. "And this computer is optimized for mining." From the report: The QC1 features two AMD GPUs (Sapphire Nitro+ Radeon RX580 with 8GB of VRAM) and is designed to mine Ethers by default. You can set it up in a few minutes by plugging an Ethernet cable and putting your Ethereum wallet address in the mobile app. You'll then gradually receive ethers on this address -- Qarnot doesn't receive any coin, you keep 100 percent of your cryptocurrencies. If you believe Litecoin or another cryptocurrency is the future, you can also access the computer and mine another cryptocurrency. It's a Linux server and you can access it directly. If your home is cold and you desperately need to turn on the heaters, the QC1 is going to turn on the two GPUs and mine at a 60 MH/s speed. There are also traditional heating conductors in case those two GPUs are not enough. Qarnot heaters don't have any hard drive and rely on passive heating. You won't hear any fan buzzing in the background. You can order the QC1 for $3,600 starting today -- you can also pay in bitcoins. The company hopes to sell hundreds of QC1 in the next year.

How Are Sysadmins Handling Spectre/Meltdown Patches? ( 49

Esther Schindler (Slashdot reader #16,185) writes that the Spectre and Meltdown vulnerabilities have become "a serious distraction" for sysadmins trying to apply patches and keep up with new fixes, sharing an HPE article described as "what other sysadmins have done so far, as well as their current plans and long-term strategy, not to mention how to communicate progress to management." Everyone has applied patches. But that sounds ever so simple. Ron, an IT admin, summarizes the situation succinctly: "More like applied, applied another, removed, I think re-applied, I give up, and have no clue where I am anymore." That is, sysadmins are ready to apply patches -- when a patch exists. "I applied the patches for Meltdown but I am still waiting for Spectre patches from manufacturers," explains an IT pro named Nick... Vendors have released, pulled back, re-released, and re-pulled back patches, explains Chase, a network administrator. "Everyone is so concerned by this that they rushed code out without testing it enough, leading to what I've heard referred to as 'speculative reboots'..."

The confusion -- and rumored performance hits -- are causing some sysadmins to adopt a "watch carefully" and "wait and see" approach... "The problem is that the patches don't come at no cost in terms of performance. In fact, some patches have warnings about the potential side effects," says Sandra, who recently retired from 30 years of sysadmin work. "Projections of how badly performance will be affected range from 'You won't notice it' to 'significantly impacted.'" Plus, IT staff have to look into whether the patches themselves could break something. They're looking for vulnerabilities and running tests to evaluate how patched systems might break down or be open to other problems.

The article concludes that "everyone knows that Spectre and Meltdown patches are just Band-Aids," with some now looking at buying new servers. One university systems engineer says "I would be curious to see what the new performance figures for Intel vs. AMD (vs. ARM?) turn out to be."

Ask Slashdot: Could Linux Ever Become Fully Compatible With Windows and Mac Software? 359

dryriver writes: Linux has been around for a long time now. A lot of work has gone into it; it has evolved nicely and it dominates in the server space. Computer literate people with some tech skills also like to use it as their desktop OS. It's free and open source. It's not vendor-locked, full of crapware or tied to any walled garden. It's fast and efficient. But most "everyday computer users" or "casual computer buyers" still feel they have to choose either a Windows PC or an Apple device as the platform they will do their computing on. This binary choice exists largely because of very specific commercial list of programs and games available for these OSs that is not available for Linux.

Here is the question: Could Linux ever be made to become fully compatible with all Windows and Mac software? What I mean is a Linux distro that lets you successfully install/run/play just about anything significant that says "for Windows 10" or "for OSX" under Linux, without any sort of configuring or crazy emulation orgies being needed? Macs and PCs run on the exact same Intel/AMD/Nvidia hardware as Linux. Same mobos, same CPUs and GPUs, same RAM and storage devices. Could Linux ever be made to behave sufficiently like those two OSs so that a computer buyer could "go Linux" without any negative consequences like not being able to run essential Windows/Mac software at all? Or is Linux being able to behave like Windows and OSX simply not technically doable because Windows and OSX are just too damn complex to mimic successfully?

To Combat Shortage, Nvidia Asks Retailers To Limit Graphics Card Orders ( 212

An anonymous reader writes: If you're a PC builder -- or your aging desktop system is in dire need of some modern upgrades -- you've probably wondered why it's impossible to get a graphics card lately. You can thank the outrageous interest in cryptocurrency for all of this. Since graphics cards mine cryptocurrency much faster than CPUs, an eager community of get-rich-quick enthusiasts are scooping up graphics cards as fast as they can get them. While there isn't much major manufacturers AMD and Nvidia can do about the overwhelming demand for GPUs, Nvidia is at least trying to let retailers know that they should be holding their stock for the company's core audience: gamers, not miners. "For NVIDIA, gamers come first. All activities related to our GeForce product line are targeted at our main audience. To ensure that GeForce gamers continue to have good GeForce graphics card availability in the current situation, we recommend that our trading partners make the appropriate arrangements to meet gamers' needs as usual," reads a translated statement Nvidia's Boris Bohles. Nvidia is suggesting that retailers limit graphics card orders to just two per person, but that's just an idea -- one Nvidia can't actually enforce beyond restricting sales on its website, which it's currently doing. Further reading: It's a terrible time to buy a graphics card.

Wine 3.0 Released ( 153

prisoninmate shares a report from Softpedia: The Wine (Wine Is Not an Emulator) project has been updated today to version 3.0, a major release that ends 2017 in style for the open-source compatibility layer capable of running Windows apps and games on Linux-based and UNIX-like operating systems. Almost a year in the works, Wine 3.0 comes with amazing new features like an Android driver that lets users run Windows apps and games on Android-powered machines, Direct3D 11 support enabled by default for AMD Radeon and Intel GPUs, AES encryption support on macOS, Progman DDE support, and a task scheduler. In addition, Wine 3.0 introduces the ability to export registry entries with the reg.exe tool, adds various enhancements to the relay debugging and OLE data cache, as well as an extra layer of event support in MSHTML, Microsoft's proprietary HTML layout engine for the Windows version of the Internet Explorer web browser. You can read the full list of features and download Wine 3.0 from WineHQ's website.

Microsoft Resumes Meltdown and Spectre Updates for AMD Devices ( 49

Microsoft has resumed the rollout of security updates for AMD devices. The updates patch the Meltdown and Spectre vulnerabilities. From a report: Microsoft released these patches on January 3, but the company stopped the rollout for AMD-based computers on January 9 after users reported crashes that plunged PCs into unbootable states. After working on smoothing out the problems with AMD, Microsoft announced today it would resume the rollout of five (out of nine) security updates.

AMD Is Releasing Spectre Firmware Updates To Fix CPU Vulnerabilities ( 74

An anonymous reader quotes a report from The Verge: AMD's initial response to the Meltdown and Spectre CPU flaws made it clear "there is a near zero risk to AMD processors." That zero risk doesn't mean zero impact, as we're starting to discover today. "We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat," says Mark Papermaster, AMD's chief technology officer. AMD is making firmware updates available for Ryzen and EPYC owners this week, and the company is planning to update older processors "over the coming weeks." Like Intel, these firmware updates will be provided to PC makers, and it will be up to suppliers to ensure customers receive these. AMD isn't saying whether there will be any performance impacts from applying these firmware updates, nor whether servers using EPYC processors will be greatly impacted or not. AMD is also revealing that its Radeon GPU architecture isn't impacted by Meltdown or Spectre, simply because those GPUs "do not use speculative execution and thus are not susceptible to these threats." AMD says it plans to issue further statements as it continues to develop security updates for its processors.

Microsoft Pauses Rollout of Spectre and Meltdown Patches To AMD Systems ( 100

Microsoft is suspending patches to guard against Meltdown and Spectre security threats for computers running AMD chipsets after complaints by AMD customers that the software updates froze their machines. From a report: The company is blaming AMD's failure to comply with "the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown." There's no word on when the patches will be fixed, but Microsoft says that it is working with AMD to address the problem.

Intel Launches 8th Gen Core Series CPUs With Integrated AMD Radeon Graphics ( 123

MojoKid writes: At CES 2018, Intel unveiled more details of its 8th generation Intel Core processors with integrated AMD Radeon RX Vega M graphics. Like cats and dogs living together, the mashup of an Intel processor with an AMD GPU is made possible by an Embedded Multi-Die Interconnect Bridge (EMIB), which provides a high-speed data interconnect between the processor, GPU and 4GB of second-generation High-Bandwidth Memory (HBM2). Intel is delivering 8th generation H-Series Core processors in 65W TDP (laptops) and 100W TDP (desktops) SKUs that will take up 50 percent less PCB real estate, versus traditional discrete configs. Both the mobile and desktop variants of the processors will be available in Core i5 or Core i7 configurations, with 4 cores and 8 threads, up to 8MB of cache and 4GB of HBM2. The 65W mobile processors can boost up to 4.1GHz, while the Radeon RX Vega M GL GPU has base/boost clocks of 931MHz and 1011MHz, respectively. The AMD GPU has 20 compute units and memory bandwidth checks in at 179GB/s. Desktop processors ratchet the maximum boost slightly to 4.2GHz, while the base/boost clocks of the Radeon RX Vega M GH GPU jump to 1063MHz and 1190MHz, respectively. Desktop GPUs are also upgraded with 24 CUs and 204GB/s of memory bandwidth. Intel says that its 8th generation Core i7 with Radeon RX Vega M GL graphics is up to 1.4x faster than a Core i7-8550U with an NVIDIA GeForce GTX 1050 GPU in a notebook system. System announcements from Dell and HP are forthcoming, with availability in the first half of this year. Intel has also launched a new NUC small form factor gaming mini PC based on the technology as well.

Microsoft's Meltdown and Spectre Patch Is Bricking Some AMD PCs ( 299

Mark Wilson writes: As if the Meltdown and Spectre bug affecting millions of processors was not bad enough, the patches designed to mitigate the problems are introducing issues of their own. Perhaps the most well-known effect is a much-publicized performance hit, but some users are reporting that Microsoft's emergency patch is bricking their computers. We've already seen compatibility issues with some antivirus tools, and now some AMD users are reporting that the KB4056892 patch is rendering their computer unusable. A further issue -- error 0x800f0845 -- means that it is not possible to perform a rollback.

AMD Unveils 2nd Gen Ryzen and Threadripper CPUs, 7nm Vega Mobile GPUs At CES ( 97

MojoKid writes: AMD is unveiled a number of upcoming chip products for the new year at CES 2018, including updated next-generation Ryzen and Threadripper desktop processors covering every market segment from mobile to HEDT, and an array of Vega-based graphics products. AMD will be releasing a pair of Ryzen 3-branded mobile APUs for mainstream notebooks. The quad-core / quad-thread Ryzen 3 2300U has base and boost clocks of 2.0GHz and 3.4GHz, respectively, while the dual-core / quad-thread Ryzen 3 2200U clocks-in at 2.5GHz and 3.4GHz, base and boost. Desktop Ryzen APUs, codenamed Raven Ridge, are inbound for the AM4 platform as well. Launching on February 12 are the upcoming Ryzen 5 2400G and Ryzen 3 2200G. The Ryzen 5 chip is a quad-core / eight-thread machine with an on-die, 11 CU Vega graphics core, priced at $169. The Ryzen 3 2200G is a quad-core / quad-thread chip with and 8 CU Vega-based graphics engine for only $99. CPU core frequencies on the Ryzen 5 2400G range from 3.6GHz -- 3.9GHz (base / boost) and the Ryzen 3 2400G clocks-in at 3.5GHz -- 3.7GHz. 2nd-generation Ryzen desktop processors are on the way as well and will be manufactured using an advanced 12nm+ lithography process, leveraging the Zen+ architecture, which is fundamentally unchanged from current Zen-based processors, save for a few tweaks and fixes that improve cache and memory speeds and latency. 2nd-Generation Ryzen processors are NOT based on the Zen 2 architecture. AMD also mentioned that these new processors will be used in a new line-up of 2nd-Generation Threadripper processors. Finally, the company disclosed two new Vega-based GPUs, a Vega Mobile part with a svelte 1.7mm Z-height and second Vega-based chip, which will be manufactured at 7nm that specifically targets machine learning applications. The low-profile Vega Mobile GPU will find its ways into ultra-thin notebooks and mobile workstations, but speeds and feeds weren't disclosed. AMD also announced that it will be supporting variable refresh rate over HDMI 2.1 in the future as well.

After Intel ME, Researchers Find Security Bug In AMD's SPS Secret Chip-on-Chip ( 76

An anonymous reader writes: AMD has fixed, but not yet released BIOS/UEFI/firmware updates for the general public for a security flaw affecting the AMD Secure Processor. This component, formerly known as AMD PSP (Platform Security Processor), is a chip-on-chip security system, similar to Intel's much-hated Management Engine (ME). Just like Intel ME, the AMD Secure Processor is an integrated coprocessor that sits next to the real AMD64 x86 CPU cores and runs a separate operating system tasked with handling various security-related operations.

The security bug is a buffer overflow that allows code execution inside the AMD SPS TPM, the component that stores critical system data such as passwords, certificates, and encryption keys, in a secure environment and outside of the more easily accessible AMD cores. Intel fixed a similar flaw last year in the Intel ME.


Can We Replace Intel x86 With an Open Source Chip? ( 359

An anonymous reader quotes, Jason Perlow, the senior technology editor at ZDNet: Perhaps the Meltdown and Spectre bugs are the impetus for making long-overdue changes to the core DNA of the semiconductor industry and how chip architectures are designed... Linux (and other related FOSS tech that forms the overall stack) is now a mainstream operating system that forms the basis of public cloud infrastructure and the foundational software technology in mobile and Internet of Things (IoT)... We need to develop a modern equivalent of an OpenSPARC that any processor foundry can build upon without licensing of IP, in order to drive down the costs of building microprocessors at immense scale for the cloud, for mobile and the IoT. It makes the $200 smartphone as well as hyperscale datacenter lifecycle management that much more viable and cost-effective.

Just as Linux and open source transformed how we view operating systems and application software, we need the equivalent for microprocessors in order to move out of the private datacenter rife with these legacy issues and into the green field of the cloud... The fact that we have these software technologies that now enable us to easily abstract from the chip hardware enables us to correct and improve the chips through community efforts as needs arise... We need to stop thinking about microprocessor systems' architectures as these licensed things that are developed in secrecy by mega-companies like Intel or AMD or even ARM... The reality is that we now need to create something new, free from any legacy entities and baggage that has been driving the industry and dragging it down the past 40 years. Just as was done with Linux.

The bigger question is which chip should take its place. "I don't see ARM donating its IP to this effort, and I think OpenSPARC may not be it either. Perhaps IBM OpenPOWER? It would certainly be a nice gesture of Big Blue to open their specification up further without any additional licensing, and it would help to maintain and establish the company's relevancy in the cloud going forward.

"RISC-V, which is being developed by UC Berkeley, is completely Open Source."

How a Researcher Hacked His Own Computer and Found One of the Worst CPU Bugs Ever Found ( 138

Reuters tells the story of how Daniel Gruss, a 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University, hacked his own computer and exposed a flaw in most of the Intel chips made in the past two decades. Prior to his discovery, Gruss and his colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's "kernel" memory, which is meant to be inaccessible to users, was only theoretically possible. From the report: "When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured. Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result. "We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found." The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995. Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) and ARM Holdings, a unit of Japan's Softbank.


Microsoft Issues Rare Out-of-Band Emergency Windows Update For Processor Security Bugs ( 129

An anonymous reader shares a report: Microsoft is issuing a rare out-of-band security update to supported versions of Windows today (Wednesday). The software update is part of a number of fixes that will protect against a newly-discovered processor bug in Intel, AMD, and ARM chipsets. Sources familiar with Microsoft's plans tell The Verge that the company will issue a Windows update that will be automatically applied to Windows 10 machines at 5PM ET / 2PM PT today. The update will also be available for older and supported versions of Windows today, but systems running operating systems like Windows 7 or Windows 8 won't automatically be updated through Windows Update until next Tuesday. Windows 10 will be automatically updated today.

Google's Project Zero Team Discovered Critical CPU Flaw Last Year ( 124

An anonymous reader quotes a report from TechCrunch: In a blog post published minutes ago, Google's Security team announced what they have done to protect Google Cloud customers against the chip vulnerability announced earlier today. They also indicated their Project Zero team discovered this vulnerability last year (although they weren't specific with the timing). The company stated that it informed the chip makers of the issue, which is caused by a process known as "speculative execution." This is an advanced technique that enables the chip to essentially guess what instructions might logically be coming next to speed up execution. Unfortunately, that capability is vulnerable to malicious actors who could access critical information stored in memory, including encryption keys and passwords. According to Google, this affects all chip makers, including those from AMD, ARM and Intel (although AMD has denied they are vulnerable). In a blog post, Intel denied the vulnerability was confined to their chips, as had been reported by some outlets. The Google Security team wrote that they began taking steps to protect Google services from the flaw as soon as they learned about it.

Slashdot Top Deals