AMD chips, renown for their power and performance, have been identified with a critical security flaw. The vulnerability is high-severity, enabling unauthorized users to access sensitive data like passwords and encryption keys, leading to a potential data breach.
Google’s diligent researcher exposes the flaw
The credit for uncovering this major flaw goes to Google’s security researcher, Travis Ormandy. His meticulous analysis of AMD Zen 2 CPUs revealed improper handling of an instruction termed “vzeroupper” during speculative execution. Speculative execution, a method leveraged by silicon OEMs to boost chip speed, was also used in the infamous Spectre and Meltdown vulnerabilities. The newly discovered vulnerability is recorded as CVE-2023-20593.
Implications of the security loophole
This flaw can cause data leakage at approximately 30 kb per core, per second. It is speedy enough to snoop on encryption keys and passwords during user login. The vulnerability isn’t confined to specific system operations; it can exploit operations in virtual machines and isolated sandboxes. The threat primarily affects AMD chips built on Zen 2 architecture.
AMD’s proactive response to the security crisis
Responding promptly, AMD has released a microcode update to mitigate the security risk. Users can directly access this link to download the update or await a BIOS upgrade from their computer vendor. This significant flaw, which was first reported to AMD in mid-May 2023, has a proof-of-concept exploit called “Zenbleed”.
Analysing the potential risk
A vulnerability enabling hackers to snatch encryption keys poses a high-level threat. The key unlocks sensitive data like passwords, personal photos, emails, instant messaging, and business-related documents. Although exploiting Zenbleed requires local system access and extensive specialization, the danger it poses should not be underestimated.
Community reactions to Zenbleed
The discovery of Zenbleed stirred varied responses within the community. While some users appreciated Ormandy’s effort, others voiced concern about the absence of vendor BIOS updates. Online security resource BleepingComputer reminded readers about the importance of regular system updates. CloudFlare confirmed that it has patched its servers to ward off the potential vulnerability.
We would like to hear what our valued readers think about this issue. Please share your thoughts with us in the comments section below!
{{user}} {{datetime}}
{{text}}