The release of a critical web security vulnerability has sparked concern for those relying on the highest level of protection, including Linux systems, Chrome browsers, and.netogen. On March 19, the vulnerability was publicly disclosed following the use of a Linux kernel vulnerability, a Netgear router breach in its Wi-Fi security, and a Password API vulnerability in Chrome 86. Now, Google researchers have uncovered a significant breach in AMD Zen-based CPUs, which pose a far-reaching risk to sensitive data.
Google announced in February 2024 that it found a vulnerability in some AMD Zen 1 through 4 CPUs, which had achy implications for real-world applications. “Until March 5,” Google stated, “we won’t disclose further details. The real-life impact of this bug is profound— it could be used to steal confidential computing workloads, compromise Dynamic Root of Trust Measurement, or even breach intellectual property.” The breach was discovered by Google Security researchers using an insecure hash function during the testing of microcode patches, which were administered through local admin privileges. This prompted the development of more advanced attacks, leveraging the CAPTCHA system to time adversary traffic.
The vulnerability’s timeline is somewhat tumultuous. Google initiated a detailed investigation in September 2024 and contacted AMD, noting that AMD had already provided a patch in response to the discovery. “The risk we understood was too high,” said Google’s Security team, explaining that consumer-facing impacts on AMD users necessitated a delay in public disclosure. They expressed optimism that their immediate action would allow users to update their systems, but emphasized the risk of further public details until March 5.
AMD responded to the situation by providing a mitigation plan in its security advisory. Principal investigator.timgorithmsutation noted that all impacted systems requiring the new fixes must activate the patch on their microcode. Users are recommended to update their BIOS and reboot the system to verify this patch, addressing the severity of the vulnerability and its potential consequences for data security.
The findings also apply to other platform types, with AMD offering a firmware update and remaining consistent with previous instances of patching and testing tendencies. This practice underscores the importance of securing new hardware and software at the earlier stages of development to mitigate such risks effectively. As Web Dev Explained notes, misunderstandings contribute to introducing vulnerabilities like the one found here, highlighting the need for proactive cybersecurity strategies.
