The 13 vulnerabilities that an Israeli security firm found in AMD processors are indeed legit. On Tuesday, AMD confirmed the findings. Fortunately, the chipmaker is preparing several fixes that should be arriving in the coming weeks.
“We believe that each of the issues cited can be mitigated through firmware patches and a standard BIOS update,” the company said in an email on Tuesday. “These patches and updates are not expected to impact performance.”
An Israeli security firm called CTS-Labs originally discovered the vulnerabilities, which affect Ryzen and EPYC branded chips. These flaws can be used to install malware on an AMD-powered computer and attack other systems over a network, it warned.
In a controversial move, CTS-Labs decided to go public with the vulnerabilities a mere 24 hours after it notified AMD about the security flaws, leaving consumers without any patch to install.
On Tuesday, AMD’s chief technology officer released a blog post, breaking down the threat. The good news is that the security vulnerabilities can only be exploited when someone has administrative access to your computer. That means a hacker will have to trick you into installing some malware.
AMD also downplayed the threat by referencing the findings of an independent security firm that also examined the vulnerabilities.
“There is no immediate risk of exploitation of these vulnerabilities for most users,” the security firm Trail of Bits said in their own findings. “Even if the full details (of the security flaws) were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities.”
The flaws are separated into four classes, three of which will have firmware fixes in the coming weeks, AMD said. Two remaining flaws in the Chimera class will be fixed through a BIOS update, which will come through a third-party provider at some point, but AMD didn’t say when.
So far, CTS-Labs hasn’t commented on AMD’s plan to patch the vulnerabilities. The Israeli security firm said it disclosed the security flaws to pressure the chipmaker into fixing them. However, it also claimed that AMD would need “several months” to fix most of the flaws. CTS-Labs also warned that a workaround for the Chimera flaw could cause “undesired side effects.”