Comment on AMD won't patch all chips affected by severe data theft vulnerability — Ryzen 3000, 2000, and 1000 will not get patched for 'Sinkclose'

<- View Parent
narc0tic_bird@lemm.ee ⁨2⁩ ⁨months⁩ ago

What I mean by that is that they will take a huge disservice to their customers over a slight financial inconvenience (packaging and validating an existing fix for different CPU series with the same architecture).

I don’t classify fixing critical vulnerabilities from products as recent as the last decade as “goodwill”, that’s just what I’d expect to receive as a customer: a working product with no known vulnerabilities left open. I could’ve bought a Ryzen 3000 CPU (maybe as part of cheap office PCs or whatever) a few days ago, only to now know they have this severe vulnerability with the label WONTFIX on it. And even if I bought it 5 years ago: a fix exists, port it over!

I know some people say it’s not that critical of a bug because an attacker needs kernel access, but it’s a convenient part of a vulnerability chain for an attacker that once exploited is almost impossible to detect and remove.

source
Sort:hotnewtop