- Asus mentioned a flaw in AMD microcode in recent patch notes
- The processor manufacturer has not yet made the flaw public.
- AMD has since confirmed the news.
AMD has apparently confirmed the existence of a microcode vulnerability that apparently leaked, inadvertently, from PC maker Asus.
Security researcher Tavis Ormandy recently discovered a BETA BIOS fix for a “microcode signature verification vulnerability” that apparently affects Asus gaming motherboards, and is mentioned in the company’s release notes.
This was quite strange, since at that time AMD had not mentioned any such vulnerability.
AMD confirmation
“It appears that an OEM leaked the patch for an upcoming major CPU vulnerability, namely: ‘AMD Microcode Signature Verification Vulnerability,'” Ormandy said. “I’m not excited about this. The patch is not currently in the Linux firmware, so this is the only publicly available patch.”
Microcode can be described as a set of small instructions stored within a processor that tell it how to perform specific tasks. It works behind the scenes to help the processor understand and execute more complicated commands.
After the community started asking questions, Asus edited the notes to remove mention of the AMD microcode issue. Meanwhile, the chipmaker said The Registry that Asus’ information was correct:
“AMD is aware of a recently reported processor vulnerability. Execution of the attack requires local administrator-level system access and the development and execution of malicious microcode,” it said.
The company also suggested that abusing the bug requires tricking victims into taking action.
“AMD has provided mitigations and is actively working with its partners and customers to implement those mitigations,” he added. “AMD recommends customers continue to follow industry standard security practices and work only with trusted vendors when installing new code on their systems. AMD plans to issue a security bulletin soon with additional guidance and mitigation options.”
At the time of going to press there was no information on the processor models affected by this vulnerability.
Through The Registry
