03-15-2018, 09:50 PM
https://www.extremetech.com/computing/26...eeper-hole
Quote:By its own statements, CTS Labs tested and developed a proof of concept exploit for Asmedia controllers before it was aware these controllers were incorporated into Ryzen chipsets. Where, then, is the website AsmediaFlaws.com? Where’s the notification to tell Intel motherboard customers that the chips on their motherboards can be similarly backdoored and abused? This isn’t a theoretical; I’m writing this article from an Ivy Bridge-E system powered by an Asus X79-Deluxe motherboard with an Asmedia 1042 controller. In its white paper, CTS Labs describes the offending Asmedia controllers as follows:
...
If CTS Labs has accurately characterized these flaws, the problems in Asmedia controllers affect millions of Intel motherboards worldwide going back six years. In the early days of USB 3.0, before Intel added its own native chipset support, Asmedia was one of the most common third-party providers. Chips like the ASM1142 are still used on Intel motherboards today. When we looked at Newegg, nearly every USB 3.0 PCI Express card we spot-checked used an Asmedia solution — typically the ASM1042 or ASM1142.
If these Asmedia flaws are common to Intel, AMD, and standalone cards, Intel users and expansion card users absolutely should’ve been notified. If they’re unique to AMD users, CTS Labs needed to explain why. It has not. Again, when security researchers describe flaws, they typically describe them across the entire set of hardware on which they are known to occur. Failing that, they at least acknowledge the use of these broken solutions in other contexts. CTS Labs did neither.
...
While we’re still waiting for AMD or another third party to release more details, it’s clear there’s a real problem here. But the question raised by CTS Labs behavior isn’t whether there are flaws in AMD’s chipsets or Ryzen CPUs. It’s a question of whether those flaws were fairly or accurately characterized given the company’s scaremongering, and a further question of whether the disclosure was targeted and timed as part of a scheme to harm AMD’s stock price, as opposed to a straightforward, good-faith security disclosure.
On these issues, Zilberman is silent.
There’s nothing illegal about paying a security firm to research a product or the manner in which CTS Labs disclosed its findings. But just because something isn’t illegal doesn’t make it a good idea — and we can think of few ideas worse than short sellers and security firms teaming up to weaponize disclosures. Zilberman’s letter may have been intended to clear the air, but it only raises more questions about the nature of the company’s findings and its framing of its work.

