- Asus mentioned a flaw in the AMD microcode in its recent patch notes
- The defect has not yet been announced by the processor manufacturer
- AMD has since confirmed the news
AMD appears to have confirmed the existence of a microcode vulnerability that was inadvertently leaked by PC maker Asus.
Security researcher Tavis Ormandy recently discovered a BETA bios fix for a “microcode signature verification vulnerability” that appears to plague Asus’ gaming motherboards, which was mentioned in the company’s release notes.
This was very strange, because at that time AMD had not mentioned any such vulnerability.
Confirmation from AMD
“The OEM appears to have leaked a patch for an upcoming major CPU vulnerability, for example: an AMD Microcode signature verification vulnerability,” Ormandy said. “I’m not happy about this. The patch is not currently in the Linux firmware, so this is the only patch available to the public.”
Microcode can be described as a set of small instructions stored within a processor that tell it how to do specific tasks. It works behind the scenes to help the processor understand and execute more complex commands.
After the community started asking questions, Asus edited the notes to remove reference to the AMD microcode issue. Meanwhile, the chip maker said Record That Asus’s information was correct:
“AMD is aware of the newly reported vulnerability in the processor. Executing the attack requires local administrator-level access to the system, development and execution of malicious microcode,” AMD said.
The company also suggested that exploiting the vulnerability would require tricking victims into taking action.
“AMD has introduced mitigation measures and is actively working with its partners and customers to deploy these mitigation measures,” she added. It added: “AMD recommends that customers continue to follow industry standard security practices and only work with trusted vendors when installing new code on their systems. It plans to issue a security bulletin soon with additional guidance and mitigation options.”
At the time of writing the article, there was no information about the processor models affected by this vulnerability.
via Record