This site may earn chapter commissions from the links on this page. Terms of utilize.

Earlier today, we covered news that a previously unknown security inquiry firm, CTS-Labs, has defendant AMD of 13 serious security flaws inside its products. If these security flaws be, information technology's critically of import AMD deal with them immediately. Nothing about their provenance or the process past which they were communicated to the printing changes that. But we'd exist remiss if we didn't note the perplexing nature of how they were communicated. Security researchers are as well raising the alarm regarding some highly suspicious disclosures and framing of the underlying issues.

With Spectre and Meltdown, an early disclosure spilled the beans about a calendar week earlier than Intel, AMD, ARM, and Google had collectively planned. All of the companies in question had been aware of Spectre and Meltdown since June (meaning, for months) and had been working on fixes throughout that time. Google, in fact, had given the various hardware companies an extended borderline to get fixes set before disclosing the existence of the bugs. That's standard operating procedure in security disclosures; vendors are typically given at least a ninety-day window to implement solutions. But in this case, AMD was notified a solar day alee of the disclosure past an Israeli business firm, CTS-Labs.

CTS-Labs has hired a PR firm to handle press inquiries and its website, AMDFlaws.com, doesn't exactly follow typical disclosure methodology. In fact, the text of the site absolutely drips with scareism, with quotes like:

AMD-Security-Lives

Spectre affects every Intel CPU manufactured for over ii decades, all the same Google managed to avoid this kind of hyperbolic claptrap when information technology disclosed both it and Meltdown.

Under the section for "How long until a gear up is available?" the site states:

HowLongBeforeFix

It'southward hard to guess a time to resolutionwhen you haven't even spoken to the company however.

If you lot want to know how long information technology's going to take to gear up a security flaw, you typically ask the visitor in question afterward telling them you've found ane. This but isn't how security researchers disembalm product flaws. Compare the language above from Google'due south own work on Meltdown and Spectre, where it details how the attacks work, links to bodily, formal white papers that item how these attacks piece of work, and and then goes into an in-depth breakdown of the attacks with code samples and examples.

CTS-Labs website and white paper completely lack this in-depth technical discussion, but the site is stuffed with pretty infographics and visual designs depicting which AMD products are affected by these problems. Information technology's exactly the kind of thing you lot might create if you were more interested in launching a PR rush as opposed to a security notification.

AMD was given then little detect, information technology can't even state if the attacks are valid or not. The company's statement reads: "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. Nosotros are investigating this report, which we just received, to empathise the methodology and merit of the findings."

Expert security firms don't put users at risk by launching goose egg-solar day broadsides against companies when the security flaws in question could accept months to resolve. Good security firms don't appoint in rampant scareism. Good security firms don't apply websites like "AMDFlaws" to communicate technical information, any more than they'd apply "IntelSecuritySucks" to communicate security flaws related to Spectre, Meltdown, or the Intel Direction Engine. Good security firms do not draw conclusions; they convey information and necessary context.

The reason good security firms don't exercise these things is considering good security firms are more than concerned with finding and fixing problems than they are with publicity. When Embedi found contempo flaws in the Intel Management Engine and F-Secure discovered problems within Intel'south Active Management Technology, they emphasized communicating the situation conspicuously and concisely (F-Secure's weblog postal service does have a touch of hyperbole, just doesn't approach what CTS-Labs is doing hither).

We aren't the only site to detect. There'southward a notification on CTS-Labs site that it may take a financial involvement in the companies it investigates (shorting AMD stock is practically a pastime in financial circles). Other security researchers have absolutely trashed the way in which the findings were communicated, the likely financial entanglements, and the way the cursory has been communicated.

If these security flaws are existent, AMD has a lot of work to do to set up them. It admittedly deserves criticism for failing to catch them in the showtime place, and at that place is at least i security researcher who has seen the code and believes the matter to be serious. Only fifty-fifty if CTS-Labs findings are genuine, it has communicated them in a manner completely at odds with best practices in the security customs. Its manner and method of communicating its findings have much more than in common with a PR firm hired to practice a hit job on a competitor or a visitor looking to make a fiscal killing by shorting stock than a reputable security firm interested in establishing a proper name for itself. Finding 13 major security flaws in a major microprocessor was guaranteed to make the news all on its own.

It's entirely possible that CTS-Labs is a relatively new company comprised of researchers who decided to debut with a splash and sacrificed the all-time practices of security disclosures to exercise it. It's too possible it isn't. The company has washed itself no favors with these shenanigans.

Update:

CTS-Labs has acknowledged to Reuters that it shares its enquiry with companies that pay for the data and that it'due south a business firm with just half dozen employees. Meanwhile, Viceroy Inquiry, a short-seller business firm, has published a 25-folio "obituary" for AMD based on this information in which it declares AMD is worth $0.00 and believes no one should purchase AMD products on any basis, for any reason whatsoever. It also predicts AMD will exist forced to file for defalcation on the ground of this "written report."

We stand up by what we said regarding the flaws themselves — we'll wait to hear from AMD on how that shakes out and what the risks are — but the actual reporting of the flaws appears to have been done in profound bad religion and with an eye towards enriching a very particular gear up of clients. ExtremeTech denounces, in the strongest possible terms, this scheme'southward credible perversion of the security flaw disclosure process.