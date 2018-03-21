AMD is addressing several vulnerabilities discovered in its Ryzen and EPYC chips, and rolling out updates for millions of devices "in the coming weeks."

The 13 vulnerabilities were clouded in controversy as the security company behind it, CTS Labs, gave AMD less than 24 hours notice before releasing it to the public. Standard vulnerability disclosure practices call for giving companies at least 90 days notice so they can fix the flaws before they go public and hackers can exploit them.

Had CTS Labs given AMD that same courtesy, the issues would have been addressed within a week of the notification.

"Each of the issues cited can be mitigated through firmware patches and a standard BIOS update, which we plan to release in the coming weeks," Sarah Youngbauer, AMD's senior spokeswoman said. "We believe this provides a good example of why the more standard 90-day notification window for such notifications exist."

In the original vulnerability report, CTS Labs said it would take "several months" to fix, with some hardware flaws that "cannot be fixed." AMD disagreed with that timeline, and said it would continue to provide more information in several weeks.

The chipmaker said the issues were not with its hardware, but the firmware. It'll be sending fixes for all 13 vulnerabilities through patches and BIOS updates. Mark Papermaster, AMD's chief technology officer, said the updates won't affect their chips' performance, an issue that has plagued Intel's fixes for Spectre and Meltdown.

CTS Labs' discovered vulnerabilities also faced intense scrutiny because of how difficult they were to pull off. While independent researchers like Trail of Bits were able to confirm the flaws were legitimate, AMD pointed out that to carry out most of these attacks, you would need administrative access to the system -- which would already give a hacker plenty of options.

According to AMD's technical assessment, every single flaw required administrative access.

"Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research," Papermaster said in a statement.

Critics also had issues with CTS Labs' report, pointing out the legal disclaimer on its website, "you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."

Last Wednesday, CTS Labs' chief financial officer and co-founder, Yaron Luk-Zilberman, a former hedge fund manager, said it didn't have "any investment (long or short) in Intel or AMD."

The security report had been leaked to Viceroy Research, a financial firm, one week before CTS Labs disclosed it to AMD. The firm admitted to Motherboard that it tried using the report to try to tank AMD's stock.

CTS Labs said it has no affiliation with Viceroy Research.

AMD declined to speculate on CTS Labs' financial motivation, Youngbauer said.