What is the problem with Ryzen 9000 CPUs?

There is a rather significant backlash going on right now around the Ryzen 9000 series, the latest AMD CPU lineup. Long story short – the company promised performance boost numbers that the new processors failed to provide. Not only users, but renowned YouTube channels found the performance difference shameful and not even near what was promised in promo materials.

Trying to find the reason, AMD has discovered a bug in Windows 11 that affects CPU performance across the board. Although they’ve claimed it affects only new Zen 5 CPUs, the bug apparently causes issues on Zen 4 processors to the same degree. Which leads users back to the question “why Zen 5 CPUs have so little performance uplift”, but we’re not talking about that right now. What is more interesting and important is AMD’s guide on how to mitigate the said bug and get the full performance.

How to boost AMD CPU gaming performance on Windows 11?

The problem that AMD blames apparently sits in Windows low-level power management, that depends on user privileges. Having a user- or normal admin-level account effectively leads to decreased high-frequency burst times and less-than-expected performance. There is a so-called “super-admin” profile in Windows, that will not show up by default. And using it allegedly removes any power restrictions and allows getting the full potential of the CPU. Now, let me show you how to get in that super-admin account.

Go to Search and type “Command Prompt”; run it as administrator. In the appeared window, type the following command:

net.exe user administrator /active:yes

Once the command is complete, go to Start, click the Power button and opt for “Sign out”. This will throw you to the login menu, where you will see the “un-hidden” super-administrator account in the lower left corner. As Windows counts that account as new, it will show you the “Hello, wait a bit” screen for several minutes. System just sets up the applications and the account. After that, use the system as you normally would.

This method is confirmed to increase performance by 8-10% on Zen 4 and Zen 5 parts. However, the bug is characteristic only to Windows 11, so Windows 10 users, who are still the majority of OS users, won’t see any difference. At the same time, AMD claims Microsoft acknowledged that issue and should release the fix in the near future.

Possible Security Risks

Gaining 10% FPS boost with no hardware upgrades may sound like a miracle, though it is not completely clear of any issues. Super-administrator privileges mean that any process and application will run instantly, without explicit confirmation. And that is a major security risk: a lot of malware still gets caught when the UAC window pops up. In the super-admin mode, there would be no such windows, so the outcome of that mod downloaded from a sketchy site will come unexpectedly.

To secure the system against malicious programs and keep enjoying games at peak FPS, consider using GridinSoft Anti-Malware. It never tries to scan the system while the game is going; there are no bundled programs that will take up the precious disk space. And its detection rates are impressive, too, thanks to the multi-component detection system that can protect from both malware and malicious websites.

The post AMD Ryzen CPUs Slowed Down by Windows 11 Bug appeared first on Gridinsoft Blog.

In general, this method is not new and similar PoC exploits have already been published earlier, but all these projects were either implemented as part of academic research, or remained incomplete and unprocessed.

The exploit seller writes that his tool successfully protects malicious code from security solutions that scan system RAM. So far, it only works on Windows systems that support OpenCL 2.0 and above. The exploit author assures that his solution has been tested and works accurately on Intel (UHD 620/630), Radeon (RX 5700) and GeForce (GTX 740M, GTX 1650) video cards.

The announcement appeared on the hack forum on August 8 this year, and about two weeks later, on August 25, the seller announced that he had sold his PoC, but did not disclose any details about the deal.

VX-Underground researchers tweet that the malicious code sold does indeed work and allows the GPU to execute binaries.

They promised to demonstrate this attack technique soon.

Bleeping Computer journalists remind that GPU malware has already been created, referring to the JellyFish rootkit and the Demon keylogger. These projects were published in May 2015 and are still in the public domain. The foundation for such attacks was laid in 2013 by researchers from the Institute of Computer Science, FORTH and Columbia University in New York. They demonstrated that the work of a keylogger can be entrusted to GPUs and that they will save the intercepted keystrokes in their memory.

The seller of the new tool claims that its development has nothing to do with JellyFish and says that his method is different from the one presented in 2015, as it does not rely on mapping the code back to user space.

Let me remind you that I said that the GitHub Developers Review Exploit Posting Policy Due to Scandal.

The post Researchers spot a tool to hide malware in AMD and Nvidia GPUs for sale appeared first on Gridinsoft Blog.

It is reported that are affected Accelerated Processing Unit (APU, formerly AMD Fusion) processors from 2016 to 2019. APUs are small 64-bit hybrid microprocessors that include both CPUs and GPUs on the same chip.

The problems of SMM Callout became known last weekend when independent security researcher Danny Odler published a blog post detailing one of the three vulnerabilities (CVE-2020-14032, which has already been fixed).

“Bugs affect the area of AMD processors known as SMM (System Management Mode) and operate at the deepest level within some company processors”, – says Danny Odler.

SMM is part of UEFI and is typically used to manage hardware features such as power management, system sleep, hibernation, device emulation, memory errors, and CPU protection functions. In fact, SMM works with the highest level of privileges, having full control over the OS kernel and hypervisors.

Thus, any attacker who manages to compromise SMM gets not only full control over the OS, but also over the hardware. Odler writes that he discovered three errors in AMD SMM that allow injecting malicious code into SMRAM (internal SMM memory) and run it with SMM privileges.

“Code execution in SMM is a game over for all security mechanisms, such as SecureBoot, Hypervisor, VBS, Kernel, and so on”, — says the researcher.

Fortunately, exploiting SMM Callout problems requires physical access to the device or a malicious program embedded on the victim’s computer that can run malicious code with administrator privileges. However, the researcher notes that such restrictions have not stopped rootkit developers in the past 15 years, and probably will not stop determined hackers even now.

Odler reported problems to AMD developers in early April of this year. As stated above, AMD has already released fixes for the first bug, CVE-2020-14032.

Two other problems are still uncorrected, but the company’s official announcement states that AMD plans to prepare corrections for AGESA by the end of June 2020. When these updates are ready, AMD will provide firmware for motherboard and system manufacturers.

Let me remind you that we recently said that AMD processors are vulnerable to two more attacks.

The post AMD plans to fix SMM Callout bugs in its processors by the end of June appeared first on Gridinsoft Blog.

These problems, discovered by experts back in 2019, affect the security of data processed by processors and can lead to theft of confidential information, as well as security impairment.

It is reported that AMD processors, released between 2011 and 2019, are vulnerable to bugs (the table can be seen below). Moreover, the researchers notified AMD engineers about their findings back in August 2019, but the company did not consider it necessary to issue patches, since it did not consider these problems to be the new speculative (or proactive – speculative) attacks. Of course, researchers disagree with this.

Problems discovered by experts affect predictor mechanism in the L1D Layer 1 data cache. This performance-oriented functionality was introduced in AMD processors in 2011, it reduces power consumption.

So, according to a published report, the way predictor calculates µTag by applying an undocumented hash function to the virtual address. ΜTag is then used to determine the cache channel from the table. That is, the processor should not compare the cache tag with all possible options, which can reduce energy consumption.

“Our attacks demonstrate that AMD architecture is vulnerable to attacks on third-party channels,” scientists say.

Researchers managed to reverse the mentioned “undocumented function” used by AMD processors and detect two attack vectors: Collide + Probe and Load + Reload. These side-channel attacks are in many ways similar to the classic Flush + Reload and Prime + Probe, which were previously used by other information security experts to extract data from Intel processors.

At the same time, the authors of the report are sure that the problems they discovered differ from other attacks through third-party channels. Therefore, in their opinion, Collide + Probe and Load + Reload are not theoretical attacks, but problems that can be easily used in real life, and for it, the attacker does not need physical access or special equipment. For example, experts claim that they exploited attacks in the cloud using JavaScript.

So, during one experiment on the AMD processor, it was possible to launch a malicious process that used a hidden data extraction channel to steal data from another process. The rate of “discharge” of data was 588.9 Kb/s.

The Collide + Probe attack was adapted to reduce the entropy of various ASLR (Address Space Layout Randomization) implementations. If the attacker managed to circumvent ASLR protection, he actually gets the opportunity to predict where the code will be executed, and plan further attacks.

Researchers said they compromised the ASLR core in a fully updated Linux system, as well as ASLR for operating systems and applications running in cloud and virtual environments. These attacks required the introduction of malicious code on the target machine, however, it is reported that the attack is possible through the Internet: using malicious JavaScript in the browser.

“We tested our proof-of-concept on Chrome 76.0.3809 and Firefox 68.0.2, as well as on the Chrome V8 engine. In Firefox, we were able to reduce entropy by 15 bits with a 98% success rate and average run time of 2.33 s (σ = 0.03s, n = 1000). In Chrome, we achieved a success rate of 86.1% and an average lead time of 2.90s (σ = 0.25s, n = 1000)”, — experts write.

In addition, the Collide + Probe attack was successfully used to recover an encryption key from an AES T-table implementation.

On Twitter, one of the experts publicly admitted that the found bugs could not be compared with Meltdown and Zombieload, which Intel processors are subject to.

“Is this vulnerability as severe as Meltdown or Zombieload? Certainly not. The attacks leak a few bit of meta-data. Meltdown and Zombieload leak tons of actual data”, – said Daniel Gruss (@lavados).

The official AMD announcement says that the company does not consider the described problems as new speculative attacks, since these problems are solved by installing other previously released fixes for old side-channel problems.

Let me remind you that in past years AMD processors were recognized as vulnerable to such side-channel problems as Specter v1 (CVE-2017-5753), Specter v1.1 (CVE-2018-3693), Specter v1.2, Specter v2 (CVE -2017-5715), CVE-2018-3640, SpectreNG (CVE-2018-3639), SpectreRSB, NetSpectre, as well as a set of bugs L1TF (L1 Terminal Fault) or Foreshadow.

In turn, the researchers assured reporters of the ZDNet publication that AMD’s response was “very misleading,” and the company did not interacted with a team of experts since last August, that is, since the private disclosure of information about the problems. In addition, the attacks themselves supposedly to this day work on completely updated OS, with the latest firmware and software.

However, vendors are not the first to postpone solutions to problems and thereby endanger users.

The post Information security experts said that AMD processors are vulnerable to two attacks appeared first on Gridinsoft Blog.