This months Cryptogram, a publication on security, technology and much more, has an interesting snip on a problem with the new AMD chips. AMD have recently been shouting about how exciting their No eXecute technology is on the Opterons, and how it will stop nasty code from executing. However, they dont seem to keen to discuss a potentially major security flaw in the chips.
Essentially, the problem lies in the K8 line of chips, which includes the much celebrated 64 bit Athlon and the Opteron chip, and the way they update themselves. A Microcode (or bios updates) update allows chip makers to change code on the chip where it is faulty, saving the hassle of an expensive product recall. Using this technique, AMD patched up a problem discovered recently. A useful feature, one might think. However, AMD chips that do this (K7s dont/didnt after they discovered a problem with it!) dont appear to have any security or validation checks on Microcode updates. As such...
"If one is able to get root access on a machine even once, it is hypothetically possible to install a microcode update specifically to help compromise security from userspace at a later time. Such an update could be flashed into the BIOS to make it persistent across reboots."
Intel has had a problem with this (Microcode validation), but have got around it via implementing encryption and authentication technology; AMD have yet to do this. Real World Tech, the discovers of this issue, also speculate that, in a hypothetical situation, it might be possible also to do serious physical damage to a AMD K8 chip.
All in all, a rather depressing report for users that have shelled out big bucks for these new chips. Certainly not the kind of performance one would expect from AMD, a company that needs a tip top reputation to maintain its level of high regard from the IT professional community to successfully compete with chip giant Intel.