Company Behind Controversial AMD Report Responds to Confusion After Publication

Spread the love

The company, called CTS, which caused confusion on Tuesday by investigating claimed vulnerabilities in AMD’s Ryzen and Epyc platforms, has expressed its views on the method of publication in an open letter.

The open letter has been added to the site where the Israeli company published its information. In it, CTS CTO Ilia Luk-Zilberman acknowledges that ‘many questions and a lot of confusion’ have arisen due to the company’s approach. In the document he discusses the reasons for the chosen approach and criticizes the current model of responsible disclosure. For example, this approach, which gives a company time to come up with a solution, would put the decision to inform affected users in the hands of the affected company. In addition, he claims in the letter that the investigation into AMD platforms started a year ago.

He also wonders whether it is justified to publish the technical details of a leak if the company has not yet developed a solution, but the deadline has passed. Therefore, CTS would have chosen to inform AMD together with the general public “to put maximum pressure on the manufacturer”. For example, it turned out that AMD was only informed 24 hours in advance by CTS, which caused the company a lot of criticism. Luk-Zilberman claims the technical details were omitted from the report to protect users. He acknowledges that this undermines credibility and that it has therefore been decided to verify with external researchers.

He is referring to verification by Dan Guido, the CEO of security company Trail of Bits, who paid it for verification. Guido told Ars Technica after the CTS release that he has received the technical details from the company and is confident that the leaks are genuine. “Once you have administrator rights, running the exploits isn’t that hard,” he added. Wednesday night also claimed a second noted security researcher, Alex Ionescu, said he knows the technicalities and points to “actual design and implementation issues worth discussing.” He also says that “Administrator access and persistence are legitimate threats in Infrastructure as a service.”

However, the technical details have still not been made public and AMD has not yet commented on the findings, apart from a short notice on its website. The findings published Tuesday by CTS detail several vulnerabilities related to the Secure Processor of AMD’s Ryzen and Epyc platforms. Abuse usually requires an attacker to have administrative privileges. The manner of publication was met with much criticism and suspicions arose that the underlying motive was to influence AMD’s share price. Shortly after the publication by CTS, the so-called short seller Viceroy Research published its own message that the publication would mean the end of AMD.

You might also like