AMD has acknowledged there’s a problem with its Ryzen and Epyc chips, but concerns remain over the manner by which the security research firm CTS Labs first disclosed the vulnerabilities.
Cybereason’s Israel Barak described it as unorthodox. Recently, he spoke to CRNtv about the unwritten rules when it comes to security disclosures.
"Usually when vulnerabilities are exposed, there’s a deep technical analysis that is attached to the disclosure," said Barak. "So, there is a description of the vulnerability, a description of the mechanism and a description of how that vulnerability was exploited."
CTS Labs did not include a technical analysis. It also has come under fire for notifying AMD of the vulnerabilities 24 hours before disclosing the information to the public, far below the 90 days typically adhered to.
Israel said the technical details are critical for an impacted vendor to adequately address the security issues and says there are ways to disclose that information without tipping off other attackers. In this case, AMD said the vulnerabilities were extremely difficult to exploit because attackers would first need administrative access.
Barak also told CRNtv that he believes it’s time for a new approach to security.
"We need to have a secure architecture in place that looks in depth into the organization," he said. "An attacker doesn’t usually have out of the blue have access to an enterprise endpoint, very high privileges. Something led to that, and things will happen from that point on."