News AMD accused of poking holes in Windows security

AMD has been accused of reducing the security of Windows through failure to support ASLR.

http://www.bit-tech.net/news/hardware/2012/06/08/amd-windows-security/1

 

interesting... but how can anyone blame another company for not being compatible with a company that decides one day they want something else.. so all others must change to support it?

 

Wow this is pretty serious. How could ATI go so long with this problem? Is it only recently a problem? I can't believe nobody has noticed yet. Anyways I am amazed AMD would knowingly release software like that.

 

"Wow this is pretty serious. How could ATI go so long with this problem? Is it only recently a problem? I can't believe nobody has noticed yet. Anyways I am amazed AMD would knowingly release software like that."

It is a problem with a feature that is disabled by default. This is not to say that AMD's drivers aren't crappy - they are, but blaming them for incompatibility with somthing that is disabled by default and apparently isn't used anywhere is like complaining about 3D acceleration not working in DOS version of Tomb Raider compiled for Glide ...

 

EMET is not installed by default on any windows machine - and since EMET 2 has been out 2 1/2 years , for retail users its not that big a deal

 

Quite. I think the bigger issue here is not so much AMD's incompatible drivers, but Microsoft including an important security feature that is turned off by default. Is there a reason for this - does it make a system less stable, or does it cause Windows programs to run slower?

 

the reg key you need to look for is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\EnableUnsafeSettings

and if you dont have the optional and downloaded from MS EMET you dont have the reg key anyway (not present on my GTX 480 system)

 

I get the feeling that ASLR is disabled by default due to a performance overhead, not compatibility issues. I don't know the precise workings of the tech (I doubt anyone without a security clearance does), but based on my understanding of stack discipline and data addressing, I can make some reasonable assumptions. If those assumptions are right, ASLR would add a step or two to certain kinds of instructions. The result could easily be a substantial performance hit.

In order for a buffer overflow attack to happen, you must already be executing some malicious code, which should have been caught by other security measures. Of course it IS reasonable for those security measures to fail, but ASLR still isn't a critical first-level security feature, and it could have observable performance costs, so it isn't enabled by default.

All AMD is 'guilty' of, is not testing their drivers with an obscure security feature that drastically changes the way system-level addressing works on a tiny fraction of systems, which MS themselves have chosen NOT to require driver makers account for. US-CERT is just being dramatic and accusatory.

 

Then MS should say "AMD, this is your six months warning. In six months the next Windows update will turn this feature on. You've got that long to sort your drivers".
Shouldn't be an issue. Both AMD and Nvidia release regular driver patches.

 

It can't be too vital a piece of protection can it. If it was Microsoft would have told AMD to sort their drivers ages ago. And if the vast majority of us have been getting along fine without ASLR then I don't see the problem.

If you are careful you shouldn't get a virus anyway. Can't remember the last time I got one. Only ever clean them off other peoples computers.

 

"AMD has been accused of making Windows unsafe"

Nah - Microsoft does that job very well already. And if they have a bad day, Adobe comes to the rescue.

 

This is nothing but an nvidia fanboy article.

 

And what about all the backdoors our Government (like the FBI) are always trying to get put into everything.

 

That is why everything from planes to fission-powered submarines and hydroelectric dams should run on ATI hardware! Conspiracy! Get the tinfoil hats!

 

there are more security holes built into windows than a Colander

i don't see why they are blaming amd

windows is a piece of **** from a security standpoint

dep is useless, so disabled it same as uac. havent had any problems/viruses in over 6 months thanks to my third party security

 

makes me laugh microsoft pointing fingers when they "alledgedly" had nothing to do with issuing MS security certs that enabled flame to target whoever they want to.

 

ASLR isn't something that's merely turned on by setting a registry key. A given application has to actively support it or rather it has to indicate to the OS that it supports it. There's a linker option for this in Visual C++ (or alternatively a project property in Visual Studio projects). The same goes for DEP.

One could argue that AMD has a problem if ASLR support is indicated, yet hasn't been tested to work properly, but I wouldn't call it poking a hole in Windows security.

 

If you can get past all the AMD fanboy nerd rage you'd notice this is a good thing they are doing. The whole idea behind this feature is to make windows more secure. The reason it's not on by default is because it has to be specifically coded into software so until all software supports this it stays turned off.

It is particularly important for low level drivers with privileged access such as graphics drivers. Intel and Nvidia support this, AMD don't. I presume they were asked nicely (standard has been out for a while) but they ignored the requests so they are now being publicly bashed in an attempt to get them to comply.

None of this matters to us of course as we don't have this setting turned on, but it matters in a big way to AMD if they want to sell any PC's with their chips in to the US government who have higher security standards.

 

Typical chicken/egg scenario where two companies try to muscle each other around. MS clearly didn't put in enough leverage to get AMD to move. If you want another company to do extra work for free so that your own features work then you need to put on your big girl panties and wrestle them into complying. Now we get to wait and see if this'll be enough to get AMD to move.

Outside of higher sensitivity branches this likely isn't an issue, if AMD can make a better offer they'll get a deal. On the flip side, private sector business security isn't to be overlooked. As we've seen over the last couple years there's plenty of hacker interest in the personal data of employees and clients, and of course trade secrets can be worth millions.