A company that was asked to review a series of flaws claimed to be in some AMD processors says it recommended to the firm that found the flaws — the previously unknown Israel-based CTS Labs — that it disclose the vulnerabilities through a CERT advisory as is standard practice.
Trail of Bits, whose chief Dan Guido was paid US$16,000 to review the claimed vulnerabilities that were disclosed by CTS Labs after just 24 hours of notifying AMD, said in a blog post on Thursday that his company had not taken part either in the CTS Labs' research or disclosure process.
Standard industry practice is to give a company 90 days notice to patch any flaws before details are released. In most cases, disclosure after the 90-day period is done in a co-ordinated manner.
CTS Labs defended its method of disclosure, with its chief technology officer Ilia Luk-Zilberman saying in a public post: "The main problem in my eyes with this model is that during these 30/45/90 days, it’s up to the vendor if it wants to alert the customers that there is a problem.
{loadposition sam08}"And as far as I’ve seen, it is extremely rare that the vendor will come out ahead of time notifying the customers – 'We have problems that put you at risk, we’re working on it'. Almost always it’s post-factum — 'We had problems, here’s the patch — no need to worry'."
The Trail of Bits post, which had no byline, appeared to be an effort to play down the firm's role in the incident which has attracted far more criticism than praise.
Reaction to CTS Labs' slick disclosure — on a website with its own domain and including a video using glitzy stock background office footage — was not helped by the fact that a noted short-seller, Viceroy Research, released a report soon after the story broke, betting that AMD shares would fall.
The Viceroy report, headlined "AMD – The Obituary", was claimed by its head, John Fraser Perring, to have been written after the firm received a copy of the CTS Labs report from an anonymous source on Monday evening.
Adding to the controversy was a Reuters report that found there had been a surge of short-selling of AMD shares in the run-up to the disclosure on Tuesday.
Additionally, CTS Labs' cause was not helped by a curious clause in the disclaimer in its advisory which read: "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
Apart from this, an accompanying white paper issued by CTS Labs contained language that is rarely found in such publications: "In our opinion, the basic nature of some of these vulnerabilities amounts to complete disregard offundamental security principles. This raises concerning questions regarding security practices, auditing, andquality controls at AMD."
iTWire sought clarification about the disclaimer and some other aspects of the CTS Labs report on Wednesday when the news first broke in Australia. No response has yet been received.
In its post, Trail of Bits wrote: "Our review of the vulnerabilities was based on documentation and proof-of-concept code provided by CTS. We confirmed that the proof-of-concept code worked as described on the hardware we tested, but we will defer to AMD for a final determination of their full impact, patches, and remediation recommendations."
After providing technical details of the flaws and their potential impact, Trail of Bits appeared to play down the significance of the flaws, saying: "There is no immediate risk of exploitation of these vulnerabilities for most users.
"Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilise these vulnerabilities. This level of effort is beyond the reach of most attackers."
Reacting to the CTS Labs' post, British security researcher Kevin Beaumont, who had issued a series of preliminary findings about the flaws on Wednesday, said in an addendum to his analysis: "CTS-Labs believes in what they dub a type of disclosure called 'Public Interest Disclosure' where once a vulnerability is found, its impact is disclosed to the public, and the technical details are only sent to the vendor and/or security companies that can help with mitigation.
"I profoundly disagree with the concept of 'Public Interest Disclosure' as it will lead to claims without evidence being run in the mainstream press, without any mitigation advice. That is not in the public interest. That is in the interest of media whoring."
The most caustic criticism of CTS Labs' act came from Linux creator Linus Torvalds. In a post on Google Plus, Torvalds wrote: "It looks like the IT security world has hit a new low. If you work in security, and think you have some morals, I think you might want to add the tag-line 'No, really, I'm not a whore. Pinky promise', to your business card.
"Because I thought the whole industry was corrupt before, but it's getting ridiculous. At what point will security people admit they have an attention-whoring problem?"
Referring to the current disclosure process, Luk-Zilberman added in his post: "I think that a better way, would be to notify the public on day 0 that there are vulnerabilities and what is the impact. To notify the public and the vendor together.
"And not to disclose the actual technical details ever unless it’s already fixed. To put the full public pressure on the vendor from the get go, but to never put customers at risk."