CTS Labs Make Mountains Out of Molehills over Minor Secondary Vulnerabilities

Do not work. And Yeah as post above, some think it's still Fake News and will not accept the facts Especially those who prefer AMD over Intel. But as I have repeated several times. No one will completly avoyd that flawas can come.

 

The fake part of the news is not that there are issues, it is the doom and gloom and even the importance of the issues. Having the title change means getting over the improper reporting and now further discussing the fixes.

 

CTS-Labs Posts Ryzen Windows Credential Guard Bypass Proof-of-concept Video
Techpowerup.com wednesday, March 21th 2018
"CTS-Labs, following up on Tuesday's "Masterkey" exploit proof-of-concept video, posted a guide to bypassing Windows Credential Guard on an AMD Ryzen-powered machine."

 

Again they logged in as admin. Agreed it is an issue but again you have to be originally an admin. Now once the backdoor is in I am not sure what is needed but again they had to log in as admin. Having these PoC's are interesting but AMD has admitted they are an issue to be addressed. If you did not originally have to be an admin then yes these would be a much higher concern, but this is not the case.

 

I can already see the next CTS video - a guy picking up a PC and walking away with it - critical security vulnerability.

 

CTS is trying to say, without directly saying it, AMD is wrong. We need to worry, go into severe panic mode. There is a lot of short money, and they need the price to come down NOW!

Here is the problem. CTS has picked the absolute smartest group of people they could have to do this sham against. Even the emotional stock people have groups of IT people to talk too. While some totally clueless media outlets gave in to the FUD, very few did.

 

Saying that vulnerabilites exploiting admin access are not important doesn't resonate with me at all; it's either there, thus the system is insecure, or it isn't.

 

The issue is if you give admin access away you have already given the castle away as well. Now this is a limited issue where a nefarious Admin could do some real damage but TBH even without this a nefarious Admin can do a lot of damage. Not to say it is not a group of issues that needs pursuing and remediation, it does.

The point is because it requires the keys to begin with most systems should not be vulnerable. As with anything YMMV and through social engineering, like Ransomware today, the exploit could be detrimental.

Again no one is saying it is unimportant just that its importance and urgency has been greatly exaggerated and misrepresented.....

 

Great summary by adored here. It literally steps through a lot. You can choose to ignore the part on attribution of who paid for the report accordingly, as it is speculation, but it is important to note Intel being exposed more widely on the camera asmedia exploit than AMD is exposed.

Sent from my SM-G900P using Tapatalk

 

AMD To Patch Zen Vulnerabilities - No Performance Loss At All
Published on Mar 21, 2018
AMD have responded to CTS Labs' allegations by confirming they are almost set to deploy a set of BIOS/software updates, which will totally mitigate the vulnerabilities. AMD have confirmed that these vulnerabilities are very minor anyway, as they require full system administrator privileges.


Initial AMD Technical Assessment of CTS Labs Research
Posted by mark.papermaster, Mar 21, 2018 7:07:10 AM
https://community.amd.com/community...amd-technical-assessment-of-cts-labs-research

 

It seems CTS Labs has some allies in the Security affiliated news outlets. They are predicting AMD taking way longer, if at all, mitigating the issues and that it is ore an issue than reported as Credit Guard is vulnerable. Please remember all require the driver and custom flashed bios so even the credit guard bypass first requires admin access for those, so one exploits seems to rely on others first.

https://nakedsecurity.sophos.com/20...tch-timeline-as-disclosure-controversy-rages/
http://searchsecurity.techtarget.co...-for-Ryzen-chip-flaws-due-in-the-coming-weeks

 

these are irrelevant, if they make a speedy processor with good IPC, people will buy regardless. there are only two choices anyway and both sides of the camp have security issues and people making a big deal out of it. zen+ looking good, let see what zen2 brings to table in 2019.

 

Thought I would mention this is 3 weeks since 3/20 when AMD said it would have mitigations in weeks. I have yet to see anything.

 

Give'em a call, let us know what they say.

Or, have some patience and wait quietly like the rest of us...

Intel has mis-delivered a number of times, and Intel has had 9+ months to respond with fixes. It's tough for everyone, let's remain calm and carry on, ok?

Initial AMD Technical Assessment of CTS Labs Research
Posted by mark.papermaster Employee in AMD Corporate on Mar 21, 2018 7:07:10 AM
https://community.amd.com/community...amd-technical-assessment-of-cts-labs-research

AMD didn't say 3 weeks, they said "weeks", open ended as they should due to the unknown's in fixing the issues. AMD wanted to communicate they plan to fix this in weeks - as quickly as possible - but there was no commitment to a specific date or number of weeks.

"AMD will provide additional updates on both our analysis of these issues and the related mitigation plans in the coming weeks."

"AMD is working on PSP firmware updates that we plan to release in the coming weeks."

"AMD is working on PSP firmware updates that we plan to release in the coming weeks."

Rather than stir up ****, let's be patient and wait, I trust AMD will do what they can as quickly as they can. You should too.

 

i think his point was that "weeks" has a limit of 4, after which one has to switch to "months"

Sent from my Xiaomi Mi Max 2 (Oxygen) using Tapatalk

 

We can let him speak for himself, to expand on his meaning, but I do know that there are 52 weeks in a year.

And, using "in the coming weeks" says to me there is no specific date or number of weeks promised.

 

He is correct about 4 weeks in a month. Now there are 520 or so weeks in a decade, so where does that stop?

 

At least they have something ready for their customers... AMD rolls out CPU firmware and Windows 10 patches to protect against Spectre exploits

 

Weeks can be used to describe months, years, decades, as used by AMD "in the coming weeks" doesn't indicate a specific date or count of weeks for a fixes release.

Your specific count of "3 weeks" is all in your imagination.

Protecting physical and login access to your device should be enough to mitigate any issues - don't auto-login to Administrator at power up.

And, don't forget the title of this thread ...(Don't) Make Mountains Out of Molehills over Minor Secondary Vulnerabilities - it's good to remember to not to get overly concerned about it, tracking it day by day - week by week.

And, again, go ask AMD and see what they have to say, we don't know when the fixes are coming, ask for an update from AMD directly.

 

AMD will update whenever they want too, not by my say I am sure. My count of three weeks, at least too me, is acceptable. If not for the cure but at least an update as to the status as weeks possibly turn into months.

The reason for posting here is it is a continuation of the topic. So if you read these are of [bold]secondary minor concern[/bold] then the cure is as well. Point being it is of some concern,

If you go by the dates 3 weeks having gone by is not just my imagination. If you look up the definition of "in coming weeks" no where is moths, years or decades mentioned. So your meaning of the phrase and time extension would never hold up in a court of law.

If you are upset about not having an answer You can go ahead and ask AMD, personally I am not that upset just pointing out a fact. I can not help facts are facts and that a efw of us here are naturally curious people.

 

You're "3 week" deadline isn't a fact, it's your imagination.

There hasn't been any news from AMD on this because I wouldn't expect any progress reports before a release of fixes. No news is good news.

 

Never said a dead line as a fact just that three weeks has passed as a fact. I can not help if most take the literal meaning of "in coming weeks" to mean not "in coming month(s)". You are trying to shoot the messenger here. If you are really curious as to why they want to go and use weeks as an extension to mean months, years or even decades please go ahead and ask AMD.

 

If we're gonna be pedantic about it, "month s" wouldn't be accurate until ~8 weeks pass.

 

Yeah, but again, AMD didn't say "fixes are coming in 3 weeks", AMD said "in the coming weeks".

Very specifically non-specific.

 

Very specifically being non specific can and will effect stock prices and has at times very specifically irreparably damaged companies.