TechPowerUp has approached Israel-based security research group CTS Labs that claims to have found 13 security flaws in AMD Ryzen and Zen-based processors. Many questioned the lack of proof-of-concept and/or binaries with their initial public report. CTS Labs responded to TPU that it has sent AMD as well as other companies including Microsoft, HP, Dell, Symantec, FireEye, Cisco Systems to aid them in developing patches and mitigation. CTS Labs says they have sent functional proof-of-concept exploit code as well as a complete research package including full technical write-ups about the vulnerabilities.
AMD has stated that they received the research only 24 hours prior to the report by CTS Labs making its way to the public. CTS Labs confirmed to TPU this timeframe of release contrary to an industry-accepted practice of providing at least 90 days. This confidential notice allows companies affected to design and develop patches and security updates. This short release notice directly contrasts the relatively longer time that Spectre and Meltdown were kept away from public information. CTS Labs implores those that shun their act by saying “If you look at the situation in the following way: right now the public knows about the vulnerabilities and their implications, AMD is fully informed and developing patches, and major security companies are also informed and working on mitigation.”
Meltdown and Spectre was known for over half-a-year before it was made publicly known but prior to this, Intel’s senior execs were already selling off stocks, knowing the possible backlash once the flaw is made public. The Meltdown/Spectre news mostly broke Intel’s creds but with CTS Labs’ findings, AMD will see itself possibly a similar situation.
The main difference in this scenario is that AMD is caught by surprise and with no clear proof from CTS Labs, its up to AMD to prove that CTS Labs’ claims are false or that they indeed have security issues to fix and now need time to mitigate and develop solutions for these flaws.