We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise.
It appears that it isn't just AMD is questioning the motives of CTS Labs, as Linux founder Linus Torvalds is lobbing grenades at the nascent security firm, the media and the security industry in general. Torvalds accuses the media of being lap dogs for the security industry that has "taught everybody to not be critical of their findings."
Torvalds made the comments in a Google+ discussion thread, adding, "When was the last time you saw a security advisory that was basically 'if you replace the BIOS or the CPU microcode with an evil version, you might have a security problem'? Yeah.
"Security people need to understand that they look like clowns because of it. The whole security industry needs to just admit that they have a lot of s--t going on, and they should use - and encourage - some critical thinking."
It should be noted that there is definitely reason to question the motives behind CTS Labs' disclosure of the claimed processor vulnerabilities. Take for example the Meltdown and Spectre vulnerabilities, which were originally discovered by Google researchers. The researchers worked behind the scenes for months with companies like Intel and AMD -- maybe a bit too discretely -- to come up with workable mitigations before everything was eventually leaked to the press.
In the case of CTS Labs, the firm only gave AMD 24 hours notice before going public, which is highly unusual and borderline reckless. But Torvalds thinks that there is a real motive behind CTS Labs' disclosures, noting, "It looks more like stock manipulation than a security advisory to me."
However, that's not to say that these security flaws aren't actually real, as pointed out by Trail of Bits CEO Dan Guido:
Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public afaik), and their exploit code works.— Dan Guido (@dguido) March 13, 2018
I spent all morning talking to reporters, mostly to correct twitter hot takes. Yes, all the flaws require admin privs but all are _flaws_ not expected functionality. https://t.co/pAY22JszZM— Dan Guido (@dguido) March 13, 2018
The question is, how easy is it to actually exploit these flaws in the real world, which is what seemingly is sticking in Torvalds' craw. "A catchy name and a website is almost required for a splashy security disclosure these days," he added.