So this AMDflaws.com business... CTS Labs asked us to review their research last week, and sent us a full technical report with PoC exploit code for each set of bugs.
Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.
I initially responded to their request out of curiosity -- "Hey, do you want to see our new processor bugs before we release them?" "hell yes I do" -- but after their asks continued to grow billed them our week rate for the work.
I spent all morning talking to reporters, mostly to correct twitter hot takes. Yes, all the flaws require admin privs but all are _flaws_ not expected functionality.
You can find a measured take that includes my commentary on these vulnerabilities from @lorenzoFB @motherboard: motherboard.vice.com/en_us/article/…
Adding a FAQ based on the last 24 hours:
- "Tell me more about how you were paid"
- "Tell me more about how you were paid"
"In a situation like this, would it be common for your firm to discuss disclosure with the vendor?"
Yes, and we did. I discussed pros/cons of various options with them and recommended that they report the vulnerabilities to a CERT.
Yes, and we did. I discussed pros/cons of various options with them and recommended that they report the vulnerabilities to a CERT.
"Were you made aware of the plans to go public?"
No.
No.
"How did CTS Labs find you? What is your relationship to them?"
Mutual friend. No ongoing relationship.
Mutual friend. No ongoing relationship.
"Do you have any financial position or interest in AMD or Intel stock?"
No.
No.
If you're looking for clear, technical information about the flaws then see the blog we just published:
