While Intel is currently salvaging the 13th/14th Gen Core processors situation with warranty extensions and microcode updates, AMD on the other hand had its last laugh when the SinkClose vulnerability was officially revealed last week.
For the unaware, AMD has recently publicly disclosed the existence of SinkClose which is a security flaw that could allow attackers to install undetectable malware (or at least super hard to find out) against conventional detection methods. Even worse? The exploit can be executed through Ring-0 which is the OS layer and escalate privileges up to Ring-2 and that’s bad news.
I’m sure at the moment when consumers literally don’t know who to trust and select for their next rig upgrade, existing users might have some questions. The 1st one is gonna be “Can my system guard against this by patching” and this is a “Yes but No” situation as the following list compiled by BleepingComputer shows all the vulnerable AMD chips.
- EPYC 1st, 2nd, 3rd, and 4th generations
- EPYC Embedded 3000, 7002, 7003, and 9003, R1000, R2000, 5000, and 7000
- Ryzen Embedded V1000, V2000, and V3000
- Ryzen 3000, 5000, 4000, 7000, and 8000 series
- Ryzen 3000 Mobile, 5000 Mobile, 4000 Mobile, and 7000 Mobile series
- Ryzen Threadripper 3000 and 7000 series
- AMD Threadripper PRO (Castle Peak WS SP3, Chagall WS)
- AMD Athlon 3000 series Mobile (Dali, Pollock)
- AMD Instinct MI300A
The 2nd question? “Hey, certain models and families are missing from the list?”. Yup, that’s unfortunate.
According to Tom’s Hardware, AMD will not be fixing Ryzen 1000/2000/3000 series processors since they are considered “out of the support period” while the others will receive their due BIOS update to mitigate the problem. So that’s probably why we don’t see the OGs included in the official advisory.
Despite the bug existing for more than a decade, the recent security flaw kind of resurfaces the inherent risk of “buying refurbished or age-old electronics”.
Look, there are times when budgets are tight or system requirements are not that heavy to justify the purchase of the latest and greatest and that’s fine. What’s important is the level of risk that you’re willing to take when you include these systems as part of, let’s say, a business or an organization that involves private and personal information.
And we don’t want anything to happen to those precious data. As a consumer, if you’re not willing to budge on your spending and requirement aspects, perhaps you can be extra vigilant against other possible cyberattacks (especially social engineering techniques, these are the most ass to deal with), or catch up to these kinds of news and implement fixes ASAP, and always have backups/counteractive measurements in the event of impending danger towards your IT infrastructure.
Ah, maybe this is “the great excuse” to finally tell your IT department to get some new hardware for the office?