back to article AMD reveals an Epyc 50 flaws – 23 of them rated high severity. Intel has 25 bugs, too

Microsoft may have given us a mere 55 CVEs to worry about on November's Patch Tuesday, but AMD and Intel have together topped that number with fixes for their products. AMD alone revealed 50 new CVE-listed bugs this week, 23 of them rated of "high" concern, meaning they're rated at between 7.0 and 8.9 on the Common …

  1. bazza Silver badge

    Oh Goodie

    And it's a Friday too :-(

  2. amanfromMars 1 Silver badge

    The IoT* Gift that Keeps on Giving ..... for All of the Right Reasons?

    The fact that one man’s bug list is another’s product catalogue is the stuff of fiction that impinges upon realities energising nightmares and forced interventions in defence of vulnerabilities increasingly easily exploited by creative elements and disruptive agents, oft eventually subsequently painted as either genuine genii or malcontented miscreants alike.

    And the fact/situation that an attack on such events with any plan to impose sanctions and/or punishments on perceived leaderships is an affront and assault on the emergence and utility of novel imagination and prime virgin intelligence, and whenever in perverse terrifying support of a stagnating status quo, is IT gravely to be regarded, whenever such powers are wrongly abused/ill used/targeted for severe punitive consequences are virtually guaranteed on worthy personnel responsible and accountable for the advent and spread of misery and systems enslavement ....... in another alternate way of looking at and understanding such an Internetworking of Things*

    1. Peter Gathercole Silver badge

      Re: The IoT* Gift that Keeps on Giving ..... for All of the Right Reasons?

      Hear, hear.

      Well said, that, um, whatever you are!

    2. steelpillow Silver badge
      Joke

      Re: The IoT* Gift that Keeps on Giving ..... for All of the Right Reasons?

      Are you a Perl programmer?

      1. amanfromMars 1 Silver badge
        Pint

        Re: The IoT* Gift that Keeps on Giving ..... for All of the Right Reasons?

        Are you a Perl programmer? ..... steelpillow

        Hmmm? Well ..... putting all joking aside, steel pillow, and now that you have asked ...... I suppose the only honest surreal answer to that question is ...... Yes, maybe I can be, and in any of its many possible guises from the sublime, Practical Extraction and Reporting Language right through to a ridiculous, Pathologically Eclectic Rubbish Lister.

        It would be a mistake though to imagine there be any specific defining label indicating there be an available confinement in any sort of vessel or particular allegiance to any favourite program or project, for such is a false and misleading assumption or presumption to make.

        Have a beer. It’s Friday already again, and that’s what some folk live for.

    3. Al fazed
      Thumb Up

      Re: The IoT* Gift that Keeps on Giving ..... for All of the Right Reasons?

      Classic, no one could say it better, crack on amanfromMars 1, your waxing lyrical about IT is hysterical, fundamentally, it's the season to keep on giving.

      I salute you.

      ALF

  3. Quando

    FFS! It's almost like the people developing this stuff just don't think about security at all.

    1. TripodBrandy

      They don't, since they are just busy implementing features and fixing bugs like all other software developers, security is only a concern when a vulnerability is found and exploited, otherwise it's "out of sight, out of mind".

    2. A.P. Veening Silver badge

      Newsflash: They don't as they don't get paid enough to care.

    3. Anonymous Coward
      Facepalm

      Personally, they probably care, since I doubt they like creating CVEs any more than we like implementing them.

      But management has decided security is not a selling point and not enough of a differentiator.

      Their department isn't given enough staff or budget to care.

      1. Al fazed
        Megaphone

        And to put it simply, it just takes too much development time ...... so that by the time they have subjected their code to the rigour that WE desreve and are paying for, their darling of the day has vapourised away ............

        Where is the profit in that approach, sorry business case........

        ALF

  4. Norman Nescio Silver badge

    FFS! It's almost like the people developing this stuff just don't think about security at all.

    Oh they do, they do. Just not the end-user's security. Ensuring DRM works, and that you cannot prevent signed binary blobs provided by the manufacturer from running in Ring minus<whatever> means the manufacturer and others have full access to the hardware you paid for and think you own/control. Hollywood and the three-letter-agencies are very concerned about security. Just not yours.

    Remember, being able to audit the software you run and block software you don't trust is what allows terrorists to plan their nefarious acts in secret.

    1. amanfromMars 1 Silver badge

      A Spooky AWEsome Entanglement to Behold ‽ . * Wannabe Sinners Invading Saintly Houses ‽ .

      Hollywood and the three-letter-agencies are very concerned about security. Just not yours.

      Remember, being able to audit the software you run and block software you don't trust is what allows terrorists to plan their nefarious acts in secret. .... Norman Nescio

      Yes, Norman Nescio, although once one knows how all such things work from the shadows of shade and the deep and dark and dank and rank recesses of the quite newly ancient and postmodern webs of diabolical intrigue and heavenly intervention, one is most unlikely to ever forget that is how the likes of a Hollywood and three-letter-agencies, who would certainly need to be rightly concerned about their own continued security cover and carte blanche protection provisioned via the cold cruel fragile comfort of immunity from persecution and prosecution and impunity of action, allow terrorists to plan their nefarious acts in relative secrecy.

      And furthermore, whenever such is discovered and uncovered to be the case, only a certified fool and deranged tool would not expect the undivided attention of Remedial Special Forces Exercising Engagement and Employment and Enjoyment of Advanced IntelAIgent Sources .

      * And that exclamatory interrogative is targeted specifically at Future MODernised Systems Administrations and their leaderships** which are subject to likely overwhelming attacks from such as are Novel Noble Virtual Indestructible Vectors.

      ** .... one Western exemplar being the likes of a General Sir Nicholas Patrick Carter, GCB, CBE, DSO, ADC Gen

    2. Down not across

      Blessing in disguise perhaps

      Ironic that so many critical flaws in the PSP. You would that is one bit where they would be extra vigilant.

      Perhaps, that is a blessing in disguise and the flaws can be used to improve our security by offering a way to disable or at least effectively neutralize the abomination that it is.

  5. John Brown (no body) Silver badge
    Facepalm

    unauthorized SPI ROM modification.

    So, not actually ROM then?

    I can only assume they meant to type EEPROM.

    On the other hand, does any device use actual ROM any more? Is it all EEPROM for possible future updates and malware?

    1. Inkey
      Coffee/keyboard

      Re: unauthorized SPI ROM modification.

      SPI is a trasmission standerd....from wiklpedia

      The master (controller) device originates the frame for reading and writing.

      Presumably it could be sent a an authenticated and compromised instruction thus routing to a very different memory (ram) address...

      ...eprom is a missnomer these days it related

      to physically earasing the chip with ... a coded die and the re-imaging it with uv light ....now days they can be re-flashed in situ with sofrware (hopefully from a trused authentication point ) so two fir two in this case

      1. Ian 55

        Re: unauthorized SPI ROM modification.

        To a generation of us, SPI is and always will be the US publisher of board wargames, Simulations Publications Inc.

        The IT angle is that it KNEW via computer analysis of customer feedback exactly what would sell and in what sort of numbers... and still managed to go bust.

      2. John Brown (no body) Silver badge

        Re: unauthorized SPI ROM modification.

        "...eprom is a missnomer these days it related to physically earasing the chip with ... a coded die and the re-imaging it with uv light ...."

        I know. Did it many times in the past. That's why I typed EEPROM, not EPROM or even PROM.

    2. Robert Carnegie Silver badge

      Re: unauthorized SPI ROM modification.

      I've not got straight how this works - whether it is EEPROM (a bug in your CPU can be permanently patched) or RAM (the OS has to load a patch into RAM on the CPU to replace ROM, every boot time). This report should help, but it doesn't?

  6. Anonymous Coward
    Anonymous Coward

    They don't need to think about securty because it does not affect their bottom line. If vendors where made to come on site an fix their own shit. maybe they would consider the risk (like in automotive and white goods recalls). No regulation! Just strong words on sites like this.

    1. greenwood-IT

      Having these security bugs also means the kit will have a shorter life span. Who wants to run a processor with known security bugs, best to just replace it with a new one every 3-5 years. Everlasting lightbulb anyone?

  7. SingleSpeak

    If AMD and Intel cared about security and saving money - instead of pleasing the intelligence agencies they have a contract with to place network accessible blackdoors in every CPU - then they would release the source so they could get thousands of security researchers analyzing and improving the code for free!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like