AMD suffered from considerably fewer reports of vulnerabilities than Intel, but a handful of them have surfaced. A few days ago we commented on the vulnerabilities discovered by the Graz University of Technology, which has published its findings in a document called Take A Way, which describes the Collide+Probe and Load+Reload attacks in detail.
AMD denies that these are speculative execution attacks
In this case, AMD states, with reference to the White Paper “Take A Way”, that “these are not new attacks based on speculative predictions” and they have therefore not released any software updates in response.
The ZDNet site reports that they are in contact with researchers who claim that the attack still operates on updated machines. The researchers also say that they have tested the exploit on JavaScript engines for Chrome and Firefox, and on a hypervisor (for virtualized environments such as cloud servers).
It is unclear whether AMD or the researchers are right until AMD releases a patch or someone releases an exploit using these methods. In either case, the researchers also claim that the amount of data that can be leaked is small. Although they claim that it can work in real-world scenarios, this does not mean that it is worth doing it in real-world scenarios.
However, if it works and can be patched, then it should be repaired.
This is the official statement from AMD:
We are aware of a new report claiming possible security holes in AMD’s CPUs, where a cache-related function could be manipulated to possibly transfer user data in an unintended way. The researchers then matched this data path against known and mitigated software or speculative execution-site channel vulnerabilities. AMD believes that these are not new speculative attacks.
AMD continues to recommend the following best practices to mitigate side-channel problems:
- Keep the operating system up to date by using the latest platform updates and firmware, including existing mitigations for speculative vulnerabilities
- The following secure encryption methods
- Implement the latest patched versions of critical libraries, including those vulnerable to side-channel attacks
- Use safe computer practices and run anti-virus software
This is the end of AMD’s discussion of this issue, while completely minimizing the impact of these vulnerabilities. We will keep you informed as soon as we know more.