Subj : AMD and Intel have revealed a host of major security errors make To : All From : TechnologyDaily Date : Thu Feb 15 2024 21:00:08 AMD and Intel have revealed a host of major security errors make sure you patch immediately, as it includes a fix for Zenbleed at last Date: Thu, 15 Feb 2024 20:47:56 +0000 Description: Four flaws were found affecting different Zen-based CPUs, which could result in device takeover. FULL STORY ====================================================================== AMD and Intel have both released a host of patches fixing some serious security issues affecting their respective hardware offerings. First up, AMD has found and fixed four vulnerabilities that were plaguing different versions of its Zen-based CPUs. The vulnerabilities allow threat actors to, among other things, run malicious code on the targeted devices - but while the company did address the flaws by releasing patches, the fixes are yet to reach all users. Fixing Zenbleed The flaws AMD found affect different CPUs (they dont always overlap). However, they all compromise the security of the SPI interface, which connects to the flash chip that stores the BIOS. The vulnerabilities are tracked as CVE-2023-20576, CVE-2023-20577, CVE-2023-20579, and CVE-2023-20587, and are all rated as high severity. In theory, a threat actor would be able to abuse these flaws to mount denial of service attacks, to escalate privileges, and execute arbitrary code, which could result in complete endpoint takeover. The silver lining here is that the attackers would need to have local access to the vulnerable system. The flaws affected both original Zen chips and the latest Zen 4 processors, and many of the variants in between. The full list of affected chips, and the patches, can be found on AMDs advisory published earlier this week. AMD patched the flaws by issuing a new version of AGESA, the base code for motherboard BIOS. The new version for Zen 2-based chips also patch Zenbleed. To get the new AGESA versions, new BIOS needs to be deployed to the users, so even though new AGESA is technically available, it doesnt mean all motherboards can be updated straight away. AMD credited Enrique Nissim, Krzysztof Okupski, and Joseph Tartaro of IOActive for the discovery and reporting of these issues, although it added that some of the findings were made on PCs running outdated firmware or software. It urged all customers to apply the patches as soon as possible and recommended they follow security best practices to remain secure. Intel patches three dozen flaws At the same time, Intel patched almost three dozen different vulnerabilities, affecting various software and firmware. In total, 32 bugs were for software, impacting different chipset drivers, Wi-Fi, and other components. The remaining two bugs were software and firmware flaws affecting Thunderbolt. The software issue, affecting Thunderbolt drivers, was particularly worrying as it encompassed 20 different exploits that could allow threat actors to escalate privileges, perform denial of service attacks, and steal data. Of the 20, three are high severity. A sliver of good news is that the majority of the 20 Thunderbolt drivers require local access to the device. The bad news is that in order to address all of the flaws, users need to update every software and firmware listed by Intel, separately. Via Toms Hardware More from TechRadar Pro Some top AMD chips have a major security flaw Here's a list of the best firewalls around today These are the best endpoint security tools right now ====================================================================== Link to news story: https://www.techradar.com/pro/security/amd-and-intel-have-revealed-a-host-of-m ajor-security-errors-make-sure-you-patch-immediately-as-it-includes-a-fix-for- zenbleed-at-last --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .