On Wed, 03 Jan 2018 18:45:14 -0800 Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> wrote: > Rather, I am not concerning myself with individual exploits with cute > names, because that's sort of a silly way to look at things, in my > opinion. The actual truth of how this went down - as I understand it - > is just not "there was an original exploit and now there's another > exploit". The truth is that some folks at Google and later at other > places noticed (quite a long time ago - early last year, I believe) > that there's a general category of potential exploits against an > optimization technique used by most or all modern CPUs, and have since > been working to explore the details of exactly how the technique can > be exploited on various microarchitectures, and importantly, how it > can be *mitigated* on all those microarchitectures. > > While this was going on - behind a disclosure embargo - The Register > got wind of it and published a half-assed story which rather confused > one *specific* weaponizable PoC exploit against Intel CPUs which had > been developed in the course of this research (and has subsequently > been given a cute name and a CVE ID) with the entire *class* of > potential exploits, leading to an immediate barrage of reporting along > the lines that "the problem" "only affects Intel". This has forced the > researchers and kernel devs who were working to deal with this > situation to jump through the disclosure and patching process faster > and sooner and less completely than they actually intended: from the > snatches of chat I've caught, it seems there was an intent to release > a rather more comprehensive set of mitigations in perhaps a month's > time, with co-ordinated disclosure. > > If you are, for some reason, only concerned about *one specific > exploit* it is technically true to say that that exploit only affects > Intel CPUs, but this a rather distorted view of the actual situation, > as I understand it. > > I am happy to be corrected by any folks who've been working on this > and are in the know, of course, if I'm wrong. Thanks for the back story. _______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
