Comments Locked

101 Comments

Back to Article

  • chobao - Tuesday, March 20, 2018 - link

    yay yippie..thanks ian
  • Alistair - Wednesday, March 21, 2018 - link

    Honestly I think Ian's work on this issue is some of the best journalism he's ever done. Bravo!

    Pretty interesting to see this kind of nefarious behaviour out in the open.
  • halcyon - Friday, March 23, 2018 - link

    Indeed .
    I wonder if any mfg is willing to comment about these exploits in relation to upgoming chipset versions?
  • chobao - Tuesday, March 20, 2018 - link

    wait..why did CTS spin it in a different way...like a more malicious way
  • iter - Tuesday, March 20, 2018 - link

    Garbage being garbage...
  • iwod - Tuesday, March 20, 2018 - link

    I dont think CTS are garbage to be honest, it is malicious, but I will give them the benefits of doubt. ( For now )

    What is trillion times worst, are those moron ( I am not even sure if they are really moron any more, or they are actually paid to troll ) crying foul saying ( shouting ) this thing is real. AMD has a serious problem, just as much as Intel Spectre, CTS did it right in zero day. And we are focusing too much on CTS and not AMD's problem, it doesn't matter If you need ADMIN access, these are real Bug. AMD Only ( No mention of ASMedia )....

    And insults Ian for all his hard work, calling him bias, AMD Fanboy......

    But Ian being well educated and British, remains calm and gentleman, sorry if this sound too cheesy, but if I was in his position reading those crap on twitter and comments I would have raged more then a thousand times. So I just told Ian to block him. Peace.

  • iter - Tuesday, March 20, 2018 - link

    It was completely blown out of proportion. Give it 1% of the severity they tried to insinuate that would be generous.

    They don't appear to be all that intelligent either, judging by how lousily they executed their scheme, despite hiring professional help in attempts to buy credibility.

    It certainly takes a significant amount of intellect to pinpoint those issues. And there is not a shred of intellect present in the pathetic stunt they made out of it. Which brings up the question, did they really discover those issues, or was it a handout from a third party?
  • looncraz - Wednesday, March 21, 2018 - link

    These "exploits" are on the level of what 16-year old me was doing.

    "Oh look, dad! I 'hacked' my BIOS and now I can change what it says in my BIOS and execute code before Windows starts!"

    Yeah, for real, I did that in... like... 1997 or 1998.
  • peevee - Wednesday, March 21, 2018 - link

    "Give it 1% of the severity they tried to insinuate that would be generous."

    Absolutely.
  • iwod - Wednesday, March 21, 2018 - link

    um....Apparently you are the only one reading my comment correctly......
  • jdlee - Wednesday, March 21, 2018 - link

    After reading your comment multiple times, I finally figured out where you're using sarcasm :) It took a bit, though.
  • JKay6969AT - Thursday, March 22, 2018 - link

    To be fair, when I read, then re-read your comment I found it to be anti-AMD and incorrect.

    "What is trillion times worst, are those moron ( I am not even sure if they are really moron any more, or they are actually paid to troll ) crying foul saying ( shouting ) this thing is real. AMD has a serious problem, just as much as Intel Spectre, CTS did it right in zero day. And we are focusing too much on CTS and not AMD's problem, it doesn't matter If you need ADMIN access, these are real Bug. AMD Only ( No mention of ASMedia )...."

    These bugs are AMD and INTEL problems as both use ASMedia chipsets on their motherboards.

    The bugs are not too serious due to the fact that you need full Admin privileges to enact them and with this status you could wreak havoc on ANY system with full Admin privileges.

    CTS Labs were set to profit from releasing these exploit warnings, they must have been otherwise they would have released them as Intel and AMD warnings at the very least. The ONLY reason to blame only AMD would be if they were paid to or they were trying to short AMD stocks or both. That is my opinion anyways :-)

    The first thing I thought when I first heard these exploits was...Why is this just about AMD? and Why is this being so blown out of proportion? Admin rights grants a lot of power on ANY system regardless of these bugs so it's bad that it can happen but with that kind of access these bugs are the LEAST of your worries, who needs such a complicated and relatively hard to design and pull off exploit? There are far easier ways to compromise a system when you have such powerful access.

    I feel bad for AMD as this wasn't fair and it isn't right that all the blame lies on their doorstep. ASUS have far more blame on their part and intel are about as much at fault as AMD.
  • johnnyan - Wednesday, March 21, 2018 - link

    I love it when people like you call others morons...

    These vulnerabilities are not even close to Spectre and Meltdown. The one specific to Intel is Meltdown btw...
  • Samus - Thursday, March 22, 2018 - link

    Exactly. There is a staggering difference in severity between silicon level exploitation (ie, architecture flaws) and firmware exploits.
  • jordanclock - Wednesday, March 21, 2018 - link

    We should focus on CTS because they failed at key practices of responsible disclosure. Their timelines for disclosure, their lack of CVEs and their inability to be transparent with funding. It was a grossly negligent announcement. As AMD pointed out, these vulnerabilities are not Zen specific. Chimera could potentially impact just about every motherboard in the last ten years because ASMedia tech is so prevalent.

    But yeah, let's pretend like AMD messed up because they have a secondary vulnerability.
  • jordanclock - Wednesday, March 21, 2018 - link

    Also Meltdown is considerably more dangerous because a program with essentially no permissions, other than execution, can view memory it should never have access to. Spectre is even worse because it could theoretically occur in web browsers until mitigations were put in place.
  • jospoortvliet - Wednesday, March 21, 2018 - link

    Exactly. Spectre can hit you when running in a sandboxed browser! Meltdown can break out of a virtual machine... while these 'exploits' *require* root access - typically the very thing an exploit is supposed to attain.
  • t.s - Wednesday, March 21, 2018 - link

    Not only 'root' access, but 'bare metal' access.
    "All the issues can be confirmed on related AMD hardware, but require Admin Access at the metal"
  • SetiroN - Wednesday, March 21, 2018 - link

    Yeah you're just utterly clueless. Those vulnerabilities are pretty minor and administrative access makes all the difference in the world in security.

    Ian being British and politically correct completely smashed their credibility between the lines, with the phone interview and in every article including this article.

    But you're clueless and everything just flew over your head.
  • Samus - Thursday, March 22, 2018 - link

    True. I mean. If someone malicious has Admin access the entire system is already compromised. And if someone has Admin access that is dumb enough to execute code taking advantage of these exploits, then the system is already compromised.
  • teraflop1 - Wednesday, March 21, 2018 - link

    What do you mean 'it doesn't matter if you need ADMIN access'? And these bugs are not as severe as the Intel issues. If you actually read how the exploits work you would see this too.
    Many people on Anandtech are very well trained technical specialists that can see through the CTS garbage in seconds.
  • dotpex - Wednesday, March 21, 2018 - link

    "it doesn't matter If you need ADMIN access"
    Ok, give me key to your house an car, and then blame house and car manufacturer
  • mkozakewich - Wednesday, March 21, 2018 - link

    The gist of the whole thing is this: "If an intruder gains access to your house, they could unlock the windows so that they could easily regain entry later!"

    No, we're not giving anyone our keys. The thing is, I don't care that my window latches are technically vulnerabilities if I make sure I'm not inviting malicious actors into my house. It's still a risk, but it's manageable.
  • zepi - Wednesday, March 21, 2018 - link

    I rent a physical epyc server from a datacenter for one month (costs few hundred bucks). I exploit the PSP vulnerability that overwrites AGESA firmware with version that includes a backdoor for me and a fix that prevents future firmware upgrades and fixes to Ryzenfall and Fallout.

    Then I return the machine to cloud operator after one month of ferocious ”insert cryptocoin name of your choise” mining and wait until someone else rents the same machine.

    Whoever rents it next can’t choose brand new machine vs. One that comes pre-used -> I’ve just pwned them for couple of hundreds.
  • tamalero - Friday, March 23, 2018 - link

    When you "Rent" a cloud operator's server, I dont think you get full root access in the way you think you get.

    You're talking about actually renting a dedicated server, not cloud.
  • erple2 - Saturday, March 24, 2018 - link

    Service providers like AWS are now reselling bare-metal CPU time, too. Granted AWS is intel-exclusive (for now).
    See: https://aws.amazon.com/blogs/aws/new-amazon-ec2-ba...
  • peevee - Wednesday, March 21, 2018 - link

    "it doesn't matter If you need ADMIN access, "

    Oh YES I DOES.
    If you have admin access at the metal (as far as I understand as opposed to VM), the game is over already.
  • Samus - Thursday, March 22, 2018 - link

    iwod, you are either failing to see the fundamental difference between AMD and Intel exploits, or trying really hard to ignore them.

    The difference here is AMD's problem are not silicon level. They are firmware level. ie entirely fixable.

    Yet CTS seemed to imply they were not easily fixable and in a way much worse than Intel's problem because there were four categories of exploitation instead of two.

    The whole thing was blown out of proportion, and considerin the simplicity of the fixes, it boggles the well-balanced mind why these were released zero-day instead of giving AMD a few weeks to simply push a firmware update to fix all of these problems.

    This is what we would consider a smear campaign in politics. And CTS is obviously playing the role of political watchdog here. Which begs the question...why? Why were they so gray about what they found, how they went about announcing it, and how they conducted interviews?
  • iwod - Thursday, March 22, 2018 - link

    Right, I wish there is an edit button.

    What is trillion times worst, are those moron ( I am not even sure if they are really moron any more, or they are actually paid to troll ) crying foul saying ( shouting ):

    "This thing is real! AMD has a serious problem, just as much as Intel Spectre, CTS did it right in zero day. And we are focusing too much on CTS and not AMD's problem, it doesn't matter If you need ADMIN access, these are real Bug. AMD Only ( No mention of ASMedia )...."

    And Then they insults Ian for all his hard work, calling him bias, AMD Fanboy......

    Does that clear things up?
  • Brodz - Thursday, March 22, 2018 - link

    "But Ian being well educated and British, remains calm and gentleman"

    I don't think Ian will date you... settle down
  • Alexvrb - Saturday, March 24, 2018 - link

    It's nowhere near as severe as Meltdown/Spectre. It requires your system to already be compromised. It can't help you escape a VM. There's no performance impact for plugging these secondary vulnerabilities. Overblown zero-day release by a highly shady "firm" with suspect motives.
  • AeroWB - Wednesday, March 28, 2018 - link

    I agree that CTS labs is not garbage, they did find some real vulnerabilities and shared them with AMD so they can be fixed. Unfortunately that is about the only thing they right.

    Lets analyse:
    + Finding vulnerabilities in AMD CPU/Chipsets and sahring the information with AMD
    + Not giving technical details on how to exploit these to the public
    - Giving AMD only 24 hours to respond
    - Defending the 24 hour period with an excuse that is utter BS. Especially now AMD says they will be able to fix all with 90 days
    - Explicitly trying to make the vulnerabilities look as bad as Meltdown/Spectre while these are not even close (need admin access, so almost no real thread, and AMD claims these can be fixed with no perforamnce impact)
    - Publicly flaming AMD by using a website AMDflaws.com and names as Ryzenfalls (really CTS, this is low and unprofessional, you are asking not to be taken seriously) This is in stark contrast to the normal practice in the business.
    - Giving the malicious and notorious Viceroy Research group upfront notice so they could release a paper on these vulnerabilities with an even bigger amount of BS. (Viceroy Research is known for manipulating stocks)
    +/- Releasing 13 vulnerabilities on the 13th. Maybe they wanted to give us a chance of discovering the BS on their findings by using this faked coincidence, or they really hoped many readers were very superstitious. I am not sure so therefore the +/-

    So adding this all up they CTS labs rating on these findings is ---

    Or in normal words CTS labs is bad, because of bad ethics, name calling, trying to manipulate stocks, trying to make name by lifting on the news of real vulnerabilities (Spectre/Meltdown) even when their findings were real.
  • palindrome - Tuesday, March 20, 2018 - link

    Money
  • willis936 - Tuesday, March 20, 2018 - link

    Because that is what they were paid to do.
  • eva02langley - Tuesday, March 20, 2018 - link

    They found benign issues and created a story around it to short the stock.
  • poohbear - Wednesday, March 21, 2018 - link

    It has been a great buying opportunity though! Hacent seen AMD hit $11 a share in a while! It'll be back to $12/$13 in no time! Nice 10% gain.
  • Tewt - Tuesday, March 20, 2018 - link

    Yep, they spun it as a Ryzen architecture problem. That part really bothers me with the outright lying. Kudos to AMD handling this graciously.
  • dotpex - Wednesday, March 21, 2018 - link

    Just search linkedin for CTS labs, you will find cts labs (from isreael) and cts labs inc (from us) with same people
    https://www.linkedin.com/company/cts-labs-inc/?lip...
    Site: http://www.ctslabsinc.com/
  • dotpex - Wednesday, March 21, 2018 - link

    Two accounts same guy
    https://www.linkedin.com/in/ilial/
    https://www.linkedin.com/in/yaron-luk-zilberman-09...
    http://www.cts-labs.com/management-team
  • halcyon - Friday, March 23, 2018 - link

    Money.
    It makes the world go around.
  • SaturnusDK - Tuesday, March 20, 2018 - link

    This statement really puts the unprofessionalism by CTS into perspective when it's issues that could fairly easily been remedied without public knowledge of them had proper warning time been given.

    It also confirms the previous assessment that this vulnerability affects more or less all PCs and servers that uses the target chipset, and is not confined to the Ryzen platform but literally 99% of all Intel motherboards from the last 6-7 years as well.
  • edzieba - Tuesday, March 20, 2018 - link

    Which is none: on Intel boards, Intel's PCHs are used. If an ASMedia host controller is present, it is as a device hung off of the PCIe bus like any other PCIe device.
  • SaturnusDK - Tuesday, March 20, 2018 - link

    Which means Intel and AMD use them in exactly the same way.
  • edzieba - Tuesday, March 20, 2018 - link

    Nope: Intel make their own chipset, but the Ryzen and Epic chipsets are not made by AMD. The entire chipset is made instead by ASMedia.
  • PixyMisa - Wednesday, March 21, 2018 - link

    Ryzen and Epyc CPUs are a systems-on-a-chip. The "chipset" is literally just an I/O controller on the PCIe bus, exactly as with any ASMedia chip on an Intel motherboard.
  • SaturnusDK - Wednesday, March 21, 2018 - link

    What he's probably referring to is that Intel used to design their own IO controllers that was used on some but not all Intel branded server motherboards. Virtually no consumer motherboards or indeed server motherboard from other manufacturers used or uses Intel IO controllers.

    Intel does not use Intels own IO controllers on most of their current generation server motherboards as the specifically developed ASmedia1143 that AMD also use on the Ryzen platform is used instead of their own internally developed IO controllers.
  • edzieba - Wednesday, March 21, 2018 - link

    "Virtually no consumer motherboards or indeed server motherboard from other manufacturers used or uses Intel IO controllers."

    The X299 (or Z370, H2xx, etc) PCH contains the IO controllers, PCIe logic (e.g. for RST and Optane), etc. Those chips are designed and fabbed by Intel. For AMD platforms, some IO is on the die (using ASMedia designs but fabbed by GlobalFoundries) and some IO is on the 'chipset' (designed by ASMedia and manufactured by whoever they contract it to).

    There's no reason for a server board to contain an ASM1143 as you're not going to be plugging USB 3.1 devices into it.
  • SaturnusDK - Wednesday, March 21, 2018 - link

    "The X299 (or Z370, H2xx, etc) PCH contains the IO controllers..."

    Oh, so that's why ASUS, Gigabyte, Asrock, just to name a few use ASMedia IO controllers built with the the exact same IP on all their current x299 and z370 motherboards?

    Practically only Intel uses Intel branded (but ASMedia designed and fabbed) chipsets on any motherboard available today.
  • Cooe - Tuesday, March 20, 2018 - link

    USB Chipsets and other added I/O on Intel boards are often the exact same ASMedia chips that AMD uses for Promontory. ASUS in particular uses them all the time.
  • looncraz - Wednesday, March 21, 2018 - link

    Show me a system that can't be exploited AFTER I have admin access AND a custom BIOS... I dare ya!
  • danjw - Wednesday, March 21, 2018 - link

    Wrong, the issue is in USB controllers that ASMedia sells, it was transferred into the southbridge that AMD uses. They have been used on literally millions of Intel based motherboards over multiple generations of processors. To be clear this was an ASMedia bug not an Intel or AMD bug.
  • IBM760XL - Tuesday, March 20, 2018 - link

    These issues are Ryzen-specific, and don't affect Intel chips. The ones by Google Project Zero from January, however, do affect Intel processors as well.

    But I 100% agree that it puts CTS's unprofessionalism on stark display. If they really cared about security, they would have given standard notice, and it would've all been fixed before public disclosure. Instead all they care about is a quick profit from stock trading.
  • hescominsoon - Tuesday, March 20, 2018 - link

    Wrong. this has nothing to do with the Ryzen CPU...but the third party chipset which contains products from ASmedia that BOTH Intel and AMD use.
  • edzieba - Wednesday, March 21, 2018 - link

    4 of the 5 exploits target the Secure Element within the CPU die.
  • SaturnusDK - Thursday, March 22, 2018 - link

    edzieba, did you even read AMDs statement or the tl;dr by Mr. Ian Cutress above? The tl;dr reads, and note no. 4:

    "The salient high-level takeaway from AMD is this:

    1. All the issues can be confirmed on related AMD hardware, but require Admin Access at the metal
    2. All the issues are set to be fixed within weeks, not months, through firmware patches and BIOS updates
    3. No performance impact expected
    4. None of these issues are Zen-specific, but relate to the PSP and ASMedia chipsets.
    5. These are not related to the GPZ exploits earlier this year."

    I would encourage you to read the full article and the full AMD statement.
  • eva02langley - Tuesday, March 20, 2018 - link

    So Linus Torvalds was bang on. CTS-Labs didn't had a clue about what they were talking about and intentionally tried to damage AMD reputation.

    ...wow...
  • iter - Tuesday, March 20, 2018 - link

    He and more or less everyone who wasn't paid off to lie or wasn't a brain dead intel fanboy.
  • chobao - Tuesday, March 20, 2018 - link

    https://www.bloomberg.com/news/articles/2018-03-20...

    AMD is asking for a investigation >.<...okay here comes more potatoes..if the investigation happens
  • Ian Cutress - Tuesday, March 20, 2018 - link

    An investigation into unusual stock trading, not towards any one company. Just to be clear.
  • chobao - Tuesday, March 20, 2018 - link

    yes that is nice of AMD, not to point fingers.
  • chobao - Tuesday, March 20, 2018 - link

    Ian, are you gonna do another piece with CTS- Labs Response :D

    sometimes drama is nice haha
  • Krysto - Tuesday, March 20, 2018 - link

    So they'll fix even the ASMedia backdoor? Interesting.

    And the fact that there were so many PSP bugs to begin with is AMD's fault. They should open up the firmware, as requested many of its customers.
  • chobao - Tuesday, March 20, 2018 - link

    proprietary software maybe..but ya..would be nice to open source stuff
  • hescominsoon - Tuesday, March 20, 2018 - link

    The PSP flaws require a previous machine compromise unlike the Intel ME bugs which did NOT require an existing compromise. Call for Intel's firmware to be opened AND actually start a movement to get this action done and you will have some credibility.
  • BurntMyBacon - Wednesday, March 21, 2018 - link

    You are not going to convince Intel to open source their ME firmware not matter how hard you demand it. They've already been called to do so to no avail. To be fair, Intel's ME is much more capable than AMD's PSP, particularly with the ability to initiate functions remotely (I.E. over the internet). Regardless of how good (or bad?) Intel's security is on the ME, it's not something Intel wants in the crosshairs. I don't expect AMD will give up their PSP firmware either. I don't fully agree with this stance, but I can understand not wanting to expose such critical firmware to the masses and I don't expect either company to deviate from it.
  • ikeke1 - Tuesday, March 20, 2018 - link

    (Y)
  • YukaKun - Tuesday, March 20, 2018 - link

    Thanks for the great coverage Ian!

    Much appreciated!
  • chobao - Tuesday, March 20, 2018 - link

    so CTS released POC video on youtube...today

    https://www.youtube.com/watch?v=RrhVhFHTe9o
  • chobao - Tuesday, March 20, 2018 - link

    why would they release something like this publicly...didn't they say they would never release it publicly >.>
  • SkyBill40 - Tuesday, March 20, 2018 - link

    Why? Isn't it clear? They don't have a damned clue what they're doing other than attempting to manipulate the stock valuation on a short. Anything and everything that can be done to affect that seems to be in their playbook.

    That said, I'm glad to see AMD making what amounts to a retaliatory counter by reporting the unusual stock activity to the SEC.
  • Manch - Wednesday, March 21, 2018 - link

    I watched part of the video. Nice lab LOL. So lemme get this straight. In order for this exploit to work someone needs to get past the security gates, infiltrate the bldg, access the secure server room with their gear and get admin access to the machine?

    Are any of the CTS team members named Ethan hunt or Benji Dunn?
  • Ian Cutress - Wednesday, March 21, 2018 - link

    Physical access isn't needed. I'm blown away and surprised at how many people seem to think this.
  • Manch - Wednesday, March 21, 2018 - link

    Oh OK. So in order to do this they need to get past the firewalls/DMZs, gain access, elevate their permissions until they get root, THEN do this, that's easier

    Here's the thing though. In order to get to what these guys are talking about and in the scenarios they've presented wouldnt you'd need to get onto the management network that controls the backend/physical portions of these server arrays? Most places Ive seen/worked these are air gapped and only the running network(all virtualized) is what touches the outside world. It was my understanding that these cant break out of a hypervisor so wouldn't physical access be required?
  • WoenK - Wednesday, March 21, 2018 - link

    Could you please explain how someone without physical access can flash a BIOS ? In their video they were using a Windows server installed directly (havent seen something like this in a long time, almost everybody uses VMs), were using the builtin Administrator and not even the BIOS Setup was secured with any password. And then run psexec on a server ? Since when is that installed on default ? VMware also affected by this ? ssh enabled adn root login allowed?
    So yeah, one could flash the BIOS even via a RAC if you had the credentials and if the RAC was reachable from the outside, but that is something you could do with any server, no matter if Intel or AMD. And signing the BIOS file, if you have the mastekeys it does not matter who made it. It has been like that forever.
    There is a reason why you create VMs and make different accounts for different uses.
    Not following even the lowest standards of best practices allways meant and allways will mean, you are screwed.
    I am actually blown away that there are people out there thinking that all admins are dumb and do not care a bit about security...if one compromised account gives you the right to flash a BIOS, then there is surely one person that should be fired
  • Stuka87 - Tuesday, March 20, 2018 - link

    Thanks for all your guys' coverage on this Ian!
  • SteelRing - Tuesday, March 20, 2018 - link

    on the other news, CTS Lab has closed shop, all the people have vanished and no evidence of it ever existed physically could be found. and if they dont do all these, good luck trying to bring up another exploit as credible at all.

    not shady at all.......
  • ikeke1 - Tuesday, March 20, 2018 - link

    Source?
  • tamalero - Tuesday, March 20, 2018 - link

    "None of these issues are Zen Specific".

    No shit sherlock.
  • bairlangga - Wednesday, March 21, 2018 - link

    Hello Anandtech.

    Just by looking around for comparison's sake. I noticed that your article title is quite "distinct". LoL
  • Lolimaster - Wednesday, March 21, 2018 - link

    AMD owned cts-intel-labs
  • FireSnake - Wednesday, March 21, 2018 - link

    But, CTS-Labs stated that it will take years to fix. And said AMD needs to stop selling processors. What a load of crap!
  • crotach - Wednesday, March 21, 2018 - link

    I smell a lawsuit coming up, and not necessarily from AMD.

    Any troll can sue CTS now for exposing the security flaws without following industry practice and using due consideration.

    Not sure that being Israel-based is going to help them, US has strong ties with Israel :)
  • willis936 - Wednesday, March 21, 2018 - link

    The company was made in Israel precisely because they’re untouchable. Israel won’t extradite for murder, they certainly won’t for a white collar scapegoat.
  • SkyBill40 - Wednesday, March 21, 2018 - link

    To my knowledge, there is no hard and clearly defined "industry practice". 90 days seems to be the norm as exhibited by Google's disclosure of the Spectre and Meltdown issues, but there's nothing that says they had to wait as long as they did. It's more of a gentleman's agreement made in good faith and little else. Clearly what CTS Labs did broke that unwritten code by releasing 24 hours after, but nothing says they couldn't do so. Don't take that as giving CTS Labs a pass, because I certainly don't agree with what they chose to do and especially now seeing how the "flaws" were obviously overblown and easily resolved.
  • realistz - Wednesday, March 21, 2018 - link

    So you had AMD fanboys screaming out of their tongues that this was fake news. Now that it’s recognized as a legit problem...
  • jimbo2779 - Wednesday, March 21, 2018 - link

    Nobody said they weren't right in what they said could be done but they were very wrong in how they went about announcing it and massively exaggerated how bad this was.

    To execute these exploits you realistically need physical access to a machine, admin rights on the machine and a custom bios and drivers specifically for that machine. Also this affects lots of non AMD machines and is not a Ryzen problem but an As media problem. All things that are purposely downplayed by CTS labs.

    Some of the posts here look like trolling or schilling with their, assumedly, intentional ignorance on the subject
  • johnnyan - Wednesday, March 21, 2018 - link

    Not really, most "AMD fanboys" realized there are actual vulnerabilities behind all this. But they hated the way all this was done to harm AMD. The funny thing is, there is a good chance it will have to opposite effect...
  • deil - Wednesday, March 21, 2018 - link

    A) someone don't like AMD ?
    B) someone don't like ASmedia ?
    C) why no intel when all boards have ASmedia chips ?
    D) what amd did (or plan TODO to trigger such personal atack ?)
  • mr_tawan - Wednesday, March 21, 2018 - link

    'Ryzenfall' (Raise-and-fall ... I guess ?) deserves a better use than this :). The name has a nice rhyme to it.
  • Manch - Wednesday, March 21, 2018 - link

    Sounds like a sequel to Crysis
  • Dug - Wednesday, March 21, 2018 - link

    I love it. An exploit that requires you to have full admin access. Guess what else you can do with full admin access? Just about anything you want.
    But they claimed it was much worse than this? mmm... unsubstantiated claims.
    If it sounds like a duck and walks like it duck, it's a troll.
  • SkyBill40 - Wednesday, March 21, 2018 - link

    Not a ducktroll? I am disappoint. :/
  • 0ldman79 - Wednesday, March 21, 2018 - link

    I think you guys are misunderstanding him.

    Admittedly, he wasn't terribly clear.
  • johnnycanadian - Wednesday, March 21, 2018 - link

    MSI hasn't released an update to address Spectre for the X99 Carbon AC. Somehow I doubt I'll be seeing fixes for these vulnerabilities in 2018.
  • MSWordPro - Wednesday, March 21, 2018 - link

    I used to get most of my tech news from Extremetech but the journalism was sub par and the comments full of hate and fighting like preschoolers. I'm really glad I moved to Anandtech, no idea why I didn't do this sooner.

    Thanks to everyone at Anandtech and the community for being civilized and professional. Keep it up guys and gals!
  • Makaveli - Wednesday, March 21, 2018 - link

    Welcome to the site hope you enjoy your stay!
  • Brodz - Thursday, March 22, 2018 - link

    They didn't believe AMD could patch these that fast. Now AMD has controlled the situation, hasn't been affected at all, and now has an even more secure product. Thanks CTS Labs.
  • Carmen00 - Thursday, March 22, 2018 - link

    I'm very glad to heard this news because it ensures that CTS Labs will not even have a shred of reputation left after this fiasco. So much for their "months" of time that it would take to fix! The sooner that clowns like them are put out of business, the better for everyone else in the legitimate security community.
  • Thermalzeal - Friday, March 23, 2018 - link

    Round of applause for the AnandTech team, it's how you get a bunch of electrons to add up!

    If there was an AnandTech movie it would be more Christopher Nolan and Aaron Sorkin instead of JJ Abrams and a script that begins with IBM trying to explain Quantum to What'son!
  • Sausagemeat - Saturday, March 31, 2018 - link

    I must say I’m genuinely surprised that the exploits turned out to be rea! I thought this was an obvious troll. Still, I’ve learnt my lesson, don’t jump to conclusions and don’t listen to the comments. When this dropped there were so many users asserting everyone that this was fake. Actually, it was quite different to spectre and meltdown where the same comment sections were ripping Intel to shreds. I guess users don’t like intel and have a soft spot for AMD. I don’t think either sets of vulnerability affects home users much and I really don’t think anyone is going to sell their current chip and buy a different one because of it.

    I do think though that we need to now focus on AMD and getting these fixed rather than hanging CTS labs out to dry. I don’t actually think they were unprofessional, I mean all they did was expose a vulnerability and chose not to hide it from the public. AMD shareholders might be upset but no one else should be.
  • vacllc123 - Saturday, November 2, 2019 - link

    This is a great Blog, So clear and easy to read. Thanks for sharing
    Regards:
    <a href="https://acmaintenance.services/">AC Maintenance Dubai</a>

Log in

Don't have an account? Sign up now