AMD is addressing several vulnerabilities discovered in its Ryzen and EPYC chips, and rolling out updates for millions of devices “in the coming weeks.”
The 13 vulnerabilities came to public attention clouded in controversy. The security company CTS Labs gave AMD less than 24 hours notice before releasing the information to the public. Standard vulnerability disclosure practices call for giving companies at least 90 days’ notice so they can fix the flaws before researchers go public and hackers can start causing trouble.
Had CTS Labs given AMD that same courtesy, the issues would have been addressed within a week of the notification.
“Each of the issues cited can be mitigated through firmware patches and a standard BIOS update, which we plan to release in the coming weeks,” Sarah Youngbauer, AMD’s senior spokeswoman, said. “We believe this provides a good example of why the more standard 90-day notification window for such notifications exist.”
In the original vulnerability report, CTS Labs said that it would take “several months” to fix the issues and that some hardware flaws “cannot be fixed.” AMD disagreed with that timeline, and said it would provide more information in several weeks.
The chipmaker said the issues were not with its hardware, but with firmware, or software that’s embedded in hardware. It’ll be sending fixes for all 13 vulnerabilities through patches and BIOS updates. Mark Papermaster, AMD’s chief technology officer, said the updates won’t affect chip performance, an issue that has plagued Intel’s fixes for tthe Spectre and Meltdown flaws.