“If a system is compromised to this level, the ability to deploy malicious microcode to the CPU could make for a very insidious attack vector that would be very hard to identify and address,” Villanustre said. “Creating these types of sophisticated attacks would require significant resources, but it could be something that a state sponsored actor could certainly do.”
Coordinated disclosure is critical
Villanustre was one of several security specialists who said that much of the potential damage came not from AMD, but from the disclosure by Asus.
“It’s possible that certain resourceful bad actors already knew about it, but making it widely known creates unnecessary exposure to organizations that still don’t have a way to mitigate the risk, since mainstream patches are not available,” Villanustre said, adding that “Asus’ disclosure seems to have been a mistake, but it would have been irresponsible otherwise. In any case, it’s not the first time CPUs are vulnerable and it won’t be the last time either.”
