This flaw allows attackers with local administrator privileges to bypass AMD’s cryptographic verification system and install custom microcode updates on affected CPUs.
If you already have local administrator privileges, you have access to the system and its data anyway. Doesn’t seem that critical a flaw. It doesn’t even survive reboots.
If I’m understanding this correctly this opens up the door to a serious type of rootkit.
It’s not a matter of attackers having access to the data. It’s that they have replaced your hardware with malicious hardware.
Additionally It can be trivial to gain administrative capacity on a personal computer. But in a regular case you can just reinstall the operating system. This would survive that.
On some level yes, but reading the article nothing persist between boots. This seems like a vulnerability that’s really only that serious A if you don’t apply AMDs patched micro code and B there’s another vulnerability on your system that lets this persist between operating system reinstall/in the BIOS.
… are used by distro update mechanisms and very few people turn those off, even if they don’t use elevated privileges for anything else.
Admittedly, it’s unlikely that a distro’s repository will end up with a compromised microcode package, but it’s not impossible (Remember the 7zip debacle?). And if it happens, you can be sure that whoever designs the payload will use the temporary access to install something ugly that has more permanent access.
But as you say, AMD have issued a fix. And that’d be why.
If you already have local administrator privileges, you have access to the system and its data anyway. Doesn’t seem that critical a flaw. It doesn’t even survive reboots.
Regardless, AMD has already issued a fix.
Edit: seems I may be mistaken.
If I’m understanding this correctly this opens up the door to a serious type of rootkit.
It’s not a matter of attackers having access to the data. It’s that they have replaced your hardware with malicious hardware.
Additionally It can be trivial to gain administrative capacity on a personal computer. But in a regular case you can just reinstall the operating system. This would survive that.
On some level yes, but reading the article nothing persist between boots. This seems like a vulnerability that’s really only that serious A if you don’t apply AMDs patched micro code and B there’s another vulnerability on your system that lets this persist between operating system reinstall/in the BIOS.
That’s not what this is about. It can’t even survive a reboot.
Ah, thanks for the clarification.
That’s not a flaw. That’s a right to repair requirement.
It sound’s more like a feature.
… are used by distro update mechanisms and very few people turn those off, even if they don’t use elevated privileges for anything else.
Admittedly, it’s unlikely that a distro’s repository will end up with a compromised microcode package, but it’s not impossible (Remember the 7zip debacle?). And if it happens, you can be sure that whoever designs the payload will use the temporary access to install something ugly that has more permanent access.
But as you say, AMD have issued a fix. And that’d be why.
7z? You mean xz??