AMD promises to fix the vulnerability caused by CTS in the next few weeks.

AMD promises to fix the vulnerability caused by CTS in the next few weeks.

Welcomia

It was revealed ten days ago by the Israeli company CTS Labs that, the platform's security processor has 13 vulnerabilities that may allow hackers to steal sensitive data, install malware, or control computers (which can be classified as RyzenFall, MasterKey, Fallout, and Chimera ), AMD has finally shown its attitude. In the new statement, they reduced the threat of the vulnerability and promised to release corresponding patches in the next few weeks.

However, in addition to the vulnerability-related technical issues, CTS chose this method when reporting to AMD, but caused a discussion about liability disclosure. Generally, security experts will give the other party 90 days or longer response time (depending on the severity of the vulnerability) after discovering a vulnerability in a company's products ). For example, Google gave intel almost 200 days before making Meltdown and Spectre public. The reason for this is that we should give the parties a chance to remedy the vulnerability before it is abused, eliminate potential risks as much as possible.

However, in this incident, CTS Labs announced their findings in just 24 hours after they informed AMD. In such a short period of time, the latter obviously cannot come up with a solution in a timely manner. That is to say, although CTS did not give any technical details that could harm users, its early exposure still caused a chain reaction in the industry. In an interview with ZDNet, Linus Torvalds, the father of Linux, was even more blunt: "In my eyes, this seemingly suggested behavior is more like deliberate stock control .」

Of course, CTS insisted that their approach was completely justified because they believed that AMD could not fix the vulnerability "for many months or even a year. The CTO Ilia Luk-Zilberman previously posted a post on AMDflaws to describe his thoughts on the 90-day response period, and said that the act of disclosing vulnerabilities in the first time is actually to put pressure on relevant parties, in this way, the problem can be solved in the shortest time.

However, AMD has provided an initial solution in a short time. Users can update the BIOS quickly (rest assured that this will not slow down the computer ). As to how long it will take to respond to similar situations, there are still various voices. I do not know what kind of attitude everyone will take on this matter?

This article permanently updates link: https://www.bkjia.com/Linux/2018-03/151508.htm