AMD plugs firmware holes that allowed command injection
Bug your motherboard vendor for a fix, says boffin
VID Chip maker AMD has patched holes across its firmware lines that could allow hackers to inject malware.
Czech programmer Rudolf Marek reported the holes in the Trinity, Richland, Kaveri, and Kabini silicon series ahead of a disclosure at the Chaos Communications Congress.
AMD's System Management Unit (SMU) firmware code within x86 processors did not run adequate checks prior to execution, allowing Marek to inject his own commands.
Marek told attendees to ask their mainboard vendors to push the fixed AGESA to BIOSes.
"Tell your vendors for a fixed AGESA (AMD Generic Encapsulated Software Architecture)," Marek said during the talk aimed at encouraging more of the low-level security analysis.
"This is the only way to push vendors to update BIOSes for older platforms."
Marek did not describe particular attack scenarios created by the lack of a protected code along with further firmware errors.
It took roughly a year to fix the flaws in an exchange he described as "responsible and helpful".