On the very same day this information came out, 'Viceroy Research Group' managed to release a 33-page 'analysis' of these results. With illustrations.
>We believe AMD is worth $0.00 and will have no choice but to file for Chapter 11 (Bankruptcy) in order to effectively deal with the repercussions of recent discoveries.
Viceroy Research lists no employees or contact address, but it appears they are not a crack team of hardworking & incisive business analysts, but two Australian teenagers and a former UK child social worker, struck off in 2014 for misconduct.
They have previous form in producing or plugging short-call stories (quite effectively), and latterly investigated by South African media for similar shady business.
It took very little internet sleuthing to find this stuff out. None of the tech press bothered to do so.
Disclaimer: I have no position in AMD.
Edit: link to Viceroy https://viceroyresearch.org/
>All of the exploits require elevated administrator access, with MasterKey going as far as a BIOS reflash on top of that. CTS-Labs goes on the offensive however, stating that it ‘raises concerning questions regarding security practices, auditing, and quality controls at AMD’, as well as saying that the ‘vulnerabilities amount to complete disregard of fundamental security principles’. This is very strong wording indeed, and one might have expected that they might have waited for an official response.
Extremely fishy. 1-day notice? Such aggressive wording without even the chance for AMD to address the concerns?
"you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports"
I found this on /r/AMD haha: https://i.imgur.com/OkWlIxA.jpg
"Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports." from the disclaimer
Why does it say this on the disclaimer:
"...we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
Are they shorting AMD? https://amdflaws.com/disclaimer.html
Linus' reaction: https://plus.google.com/+LinusTorvalds/posts/PeFp4zYWY46
24 hours means they don't deserve to be called security researchers. They're exploit creators. Given the material effect this would have on AMD's stock, one might also reasonably speculate about their financial interests.
If the vulnerabilities were real, I'd have no problem with a company using it to promote themselves, trade and talk their book, etc. The issue here is the vulnerabilities are very overhyped (some are fundamental things like "if you reflash your BIOS with evil, you're screwed", some just make local root access more persistent, etc.
The problem with something like TRO LLC is that markets don't move on security info.
I think the economics/ethics of the researchers are overshadowing something big:
"RYZENFALL allows malicious code to take complete control over the AMD Secure Processor."
"Multiple vulnerabilities in AMD Secure Processor firmware allow attackers to infiltrate the Secure Processor."
If this is legitimate, this is huge! The PSP could potentially be disabled! Very little work has gone into handicapping the PSP compared to the IME.
24hrs notice is unheard of.
Who works for CTS-Labs? Attaching your name to a company like that should disqualify you from any future jobs in the security space.
Wild guess / conspiracy theory: Intel, afraid of the damage to their image just made worse by diminished performance advantage compared to AMD )due to Meltdown), fearing long-term market loss, quickly found ways to tackle the issue by, instead of pedaling to regain trust, damaging a competitor's image. It seems like a reasonable long game to support and perhaps steer the disclosure of AMD vulnerabilities that CTS-labs had been investigating. Or maybe is was Intel investigating themselves, had some cards up their sleeves, but needed some other entity to do the public disclosure.
Other theories discussed here seem less far-fetched than the above, but in any case, it does smell funny.
A security researcher claims to have access to the full (non-public) technical report as well as PoC exploits for it. He says they're legit, and they are flaws, not just "you can do admin things with an admin password".
Sounds like the capabilities include the ability to jump outside a VM sandbox, take over the PSP, and pivot to the firmware or BIOS exploits.
Did anyone verify any of these? The whole thing reeks.
Apparently all these can only be exploited if you already have administrator privileges. Raymond Chen calls that "being on the other side of the airtight hatchway" and has written about it numerous times.
Scammy site, see: item?id=16576516
Since all of this seems to be related to "Secure Boot" and other DRM related crap, can we please just have the option of booting with minimal firmware support, no hidden code, and go for a completely open, community maintained, and audit-able by /anyone/ infrastructure?
No, I don't want HDCP or any similar crap; let me run my servers and desktops in secure mode.
I'll still buy Threadripper/EPYC. There is nothing else on the market that is comparable for my needs.
I lol'ed at this in the "whitepaper" for a potential impact of a claimed vulnerability:
Physical damage to hardware (SPI flash wear-out, etc.)
Reminds me of little kids trying to fill out their 200-word essays.
The 24h disclosure should not be too much of a problem, since they state:
> "we are letting the public know of these flaws but we are not putting out technical details and have no intention of putting out technical details, ever"
It's always a risk, because now people know where to look to recreate it themselves, it's not like this is a full-disclosure release where you're SOL as a manufacturer and have to race rampant public exploitation.
Insider trading claims might be difficult since you can claim the vulnerabilities were public knowledge waiting to be discovered, but...
Can you trade on knowing the security disclosure timeline prior to your publication of the vulnerability? That would seem to be insider knowledge until AMD authorizes publication. E.g. I've got knowledge that AMD likely wouldn't be able to fix the flaws prior to my disclosure. That knowledge would inherently be non-public.
Disclosure: I've been long AMD for a while.
If anyone trades options, the IV on options expiring in March on AMD went up significantly last week with no apparent news, probably because of these guys.
The upside of this is that most of these vulns are ineffective after disabling AMD "Secure" Processor at boot which is now an option in most firmware. Without breaking manufactures firmware upgrade key you cannot execute the first one to toggle the settings.
The interesting one is against Promontory. It still requires VM host access to exploit so the impact is limited.
What shocks me is that most mainstream media report it. It's on top of techmeme, and all major names are linked. sigh.
"One hit wonder" security firm is trying to make a name for itself.
Does this enable auditing of the psp, or replacing the sw with trusted code?
DUPE of item?id=16576516
This is FUD. The original post was flagged, because the domain and website are far from trustworthy. Technically, the accusations seem to be more of a joke.
> AMD is in the process of responding to the claims, but was only given 24 hours of notice rather than the typical 90 days for standard vulnerability disclosure. No official reason was given for the shortened time.
90 days is not a standard. Nothing was shortened. People are allowed to publish their research whenever they like. Vendor advance notification is optional.
Full, immediate disclosure is responsible.
something smells fishy... y 24hrs warning? whatever happened to the usual 90 days disclosure?
No reaction from the stock market. I'm not interested.
It seems to me a pretty mild security flaw one that requires local root privileges or even reflashing the BIOS to be exploited. I cannot think of a real world scenario where this can be a problem.
This is just Intel trying to muddy the AMD waters
One of the co-founders runs a hedge fund.
The website's disclaimer says "you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports".
This has all the signs of a bonafide smear job, Intel has a huge presence in Israel, lot's of investments there.
Wouldn't take much to use stealth proxy operatives to carry out such a smear, and guess who benefits the most from a smear of AMD ?
One thing that does strike me is that, after the Intel Co. situation, giving only a little notice prevents execs from being able to short their own stock on the vuln.
Is this confirmed yet?