A team of Google researchers working with AMD recently discovered a major CPU exploit on Zen-based processors. The exploit allows anyone with local admin privileges to write and push custom microcode updates to affected CPUs. The same Google team has released the full deep-dive on the exploit, including how to write your own microcode. Anyone can now effectively jailbreak their own AMD CPUs.
The exploit affects all AMD CPUs using the Zen 1 to Zen 4 architectures. AMD released a BIOS patch plugging the exploit shortly after its discovery, but any of the above CPUs with a BIOS patch before 2024-12-17 will be vulnerable to the exploit. Though a malicious actor wishing to abuse this vulnerability needs an extremely high level of access to a system to exploit it, those concerned should update their or their organization’s systems to the most recent BIOS update.
From the article:
That’s a whole new level of … something.
90% of security vulnerabilities are caused by “let’s just use/do this for now and change it before production”.
What does the fix look like?
Code scanners? Hackathons? Code review by new hires? Education? Methodology?
All of the above and more? There’s always the risk of something falling through the cracks, so the more layers of security measures you add/can afford the better.
I’d like that to be “new”, but… It’s not exactly the first time this exact thing happened in tech.
I spent quite some time trying to find a better way to put it, but stupid, idiot, ignorance, incredulity just didn’t seem to cover the experience of WTAF?
Sounds like someone went full cut and paste from Stack Overflow…
Huh?
Someone actually used an example security key in their actual code.
Like if I worked on your employer’s helpdesk resetting everyone’s password and told people “choose a new password, for example ‘password123’ but don’t use that actual one because it isn’t safe” and people went ahead and used ‘password123’ anyway. It would now be very easy to break in to all their accounts…