AMD and Intel have revealed a host of major security errors — make sure you patch immediately, as it includes a fix for Zenbleed at last

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock) (Image credit: Shutterstock)

AMD and Intel have both released a host of patches fixing some serious security issues affecting their respective hardware offerings.

First up, AMD has found and fixed four vulnerabilities that were plaguing different versions of its Zen-based CPUs. 

The vulnerabilities allow threat actors to, among other things, run malicious code on the targeted devices - but while the company did address the flaws by releasing patches, the fixes are yet to reach all users.

Fixing Zenbleed

The flaws AMD found affect different CPUs (they don’t always overlap). However, they all compromise the security of the SPI interface, which connects to the flash chip that stores the BIOS. The vulnerabilities are tracked as CVE-2023-20576, CVE-2023-20577, CVE-2023-20579, and CVE-2023-20587, and are all rated as “high severity”. 

In theory, a threat actor would be able to abuse these flaws to mount denial of service attacks, to escalate privileges, and execute arbitrary code, which could result in complete endpoint takeover. The silver lining here is that the attackers would need to have local access to the vulnerable system.

The flaws affected both original Zen chips and the latest Zen 4 processors, and many of the variants in between. The full list of affected chips, and the patches, can be found on AMD’s advisory published earlier this week. AMD patched the flaws by issuing a new version of AGESA, the base code for motherboard BIOS. The new version for Zen 2-based chips also patch Zenbleed.

To get the new AGESA versions, new BIOS needs to be deployed to the users, so even though new AGESA is technically available, it doesn’t mean all motherboards can be updated straight away.

AMD credited Enrique Nissim, Krzysztof Okupski, and Joseph Tartaro of IOActive for the discovery and reporting of these issues, although it added that “some of the findings were made on PCs running outdated firmware or software”. It urged all customers to apply the patches as soon as possible and recommended they follow security best practices to remain secure.

Intel patches three dozen flaws

At the same time, Intel patched almost three dozen different vulnerabilities, affecting various software and firmware. 

In total, 32 bugs were for software, impacting different chipset drivers, Wi-Fi, and other components. The remaining two bugs were software and firmware flaws affecting Thunderbolt. 

The software issue, affecting Thunderbolt drivers, was particularly worrying as it encompassed 20 different exploits that could allow threat actors to escalate privileges, perform denial of service attacks, and steal data. Of the 20, three are “high severity”.

A sliver of good news is that the majority of the 20 Thunderbolt drivers require local access to the device. The bad news is that in order to address all of the flaws, users need to update every software and firmware listed by Intel, separately.

Via Tom’s Hardware

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
AMD logo
AMD patches high severity security flaw affecting Zen chips
AMD logo
Security flaw means AMD Zen CPUs can be "jailbroken"
AMD Ryzen 5 7600X processor
AMD confirms processor security flaws after Asus patch slips out early
Security
Intel slams Nvidia and AMD, claims chip giants have huge numbers of security flaws
MediaTek
MediaTek reveals host of security vulnerabilities, so patch now
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring