- Asus mentioned AMD microcode flaw in recent patch notes
- The flaw has not yet been made public by the processor manufacturer
- AMD has since confirmed the news
AMD has apparently confirmed the existence of a microcode vulnerability that apparently spread, unintentionally, from PC maker Asus.
Security researcher Tavis Ormandy recently spotted a BETA bios patch for a “microcode signature verification vulnerability” that apparently affects Asus gaming motherboards, mentioned in the company’s release notes.
This was quite strange, because at the time, AMD had made no mention of such a vulnerability.
Confirmation from AMD
“It appears that an OEM has leaked the fix for a major upcoming CPU vulnerability, namely: ‘AMD Microcode Signature Verification Vulnerability,'” Ormandy said. “I’m not thrilled about this. The fix is not currently available in Linux firmware, so this is the only publicly available fix.”
Microcode can be described as a set of small instructions stored in a processor that tell it how to perform specific tasks. It works behind the scenes to help the processor understand and execute more complex commands.
After the community started asking questions, Asus edited the notes to remove mention of AMD’s microcode issue. Meanwhile, the chipmaker said The register that Asus’ information was correct:
“AMD is aware of a recently reported CPU vulnerability. Executing the attack requires both local administrator-level system access, as well as the development and execution of malicious microcode” , indicates the press release.
The company also suggested that abusing the bug requires tricking victims into taking action.
“AMD has provided mitigation measures and is actively working with its partners and customers to deploy these mitigation measures,” it adds. “AMD recommends that its customers continue to follow industry standard security practices and work only with trusted vendors when installing new code on their systems. AMD plans to release a security bulletin containing additional guidance and mitigation options.
At press time, there was no information on which processor models were affected by this vulnerability.
Via The register
