Getty Images/iStockphoto

News

AMD processor vulnerability inadvertently leaked early

The flaw was revealed when hardware manufacturer Asus published a patch for an 'AMD Microcode Signature Verification Vulnerability' to a gaming motherboard update page.

Alexander Culafi
By
Published: 24 Jan 2025

Hardware manufacturer Asus inadvertently leaked the existence of a "major" AMD processor vulnerability before the chipmaker's scheduled disclosure.

Tavis Ormandy, a Google vulnerability researcher and longtime security practitioner, sent an email to the Open Source Security mailing list on SecLists.org Tuesday noting that an Asus update page for one of its Republic of Gamers gaming motherboards -- the ROG Strix X870-I Gaming WiFi -- included a patch for a previously undisclosed "AMD Microcode Signature Verification Vulnerability." He referred to the vulnerability as a "major" CPU flaw, though the details have not been disclosed.

"I'm not thrilled about this - the patch is *not* currently in linux-firmware, so this is the only publicly available patch," Ormandy wrote.

The patch, which was dated Jan. 16, has been removed from Asus' update page. Asus did not respond to a request for comment.

Ormandy noted in his post that "other people are discussing" the AMD update and how to extract the patch on the Win-Raid Forum, a message board for BIOS/UEFI modding and CPU microcode research.

A spokesperson for AMD confirmed the existence of the vulnerability and shared the following statement with Informa TechTarget:

AMD is aware of a newly reported processor vulnerability. Execution of the attack requires both local administrator level access to the system, and development and execution of malicious microcode. AMD has provided mitigations and is actively working with its partners and customers to deploy those mitigations. AMD recommends customers continue to follow industry-standard security practices and only work with trusted suppliers when installing new code on their systems. AMD plans to issue a security bulletin soon with additional guidance and mitigation options.

It's unclear when AMD will officially disclose the vulnerability. In a follow-up email on SecLists.org, Ormandy said "the vendor has been really excruciating to deal with" and noted that the errantly published update was the first time he'd been allowed to see the patch.

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.

Dig Deeper on Threats and vulnerabilities