In an unexpected turn of events, hardware manufacturer Asus mistakenly revealed the existence of a significant vulnerability in AMD processors before the chipmaker had the chance to officially disclose it. The leaked information came to light when Tavis Ormandy, a Google vulnerability researcher, discovered an Asus update page for one of its Republic of Gamers gaming motherboards, the ROG Strix X870-I Gaming WiFi, which included a patch for an undisclosed “AMD Microcode Signature Verification Vulnerability”. Ormandy emphasized the severity of the issue, labeling it as a “major” CPU flaw, although the specifics of the vulnerability remain undisclosed at this time.
Expressing his dissatisfaction with the situation, Ormandy highlighted in a message to the Open Source Security mailing list on SecLists.org that the patch for the AMD processor vulnerability was not currently available in linux-firmware, making the information on the Asus update page the only publicly accessible patch. The patch, dated Jan. 16, has since been removed from the Asus website, and the company has not provided any comment on the matter.
Further complicating the situation, Ormandy mentioned that discussions surrounding the AMD update and how to extract the patch were taking place on the Win-Raid Forum, a platform dedicated to BIOS/UEFI modding and CPU microcode research. As the news spread, a spokesperson for AMD acknowledged the existence of the vulnerability and assured the public that they are actively working on providing mitigations for the issue. The statement shared by AMD emphasized the need for industry-standard security practices and advised customers to only install new code from trusted sources.
Despite the acknowledgement of the vulnerability and efforts to address it, it remains unclear when AMD will officially disclose the details of the issue. In a follow-up email on SecLists.org, Ormandy expressed frustration with the vendor’s handling of the situation, noting that obtaining access to the patch was a challenging process. This incident marks the first time Ormandy had been permitted to view the patch, indicating the sensitive nature of the situation.
As the story continues to develop, industry experts and consumers alike are eagerly awaiting further information from both AMD and Asus regarding the AMD processor vulnerability. With the potential risks associated with the disclosed flaw, it is crucial for users to stay informed and follow recommended security practices to safeguard their systems. As the tech community braces for the official disclosure of the vulnerability, the spotlight remains on AMD and Asus as they navigate the fallout from this inadvertent leak.