[Info-vax] Intel x86-64 Processor Design Security Vulnerability?
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Thu Jan 4 16:07:08 EST 2018
On 2018-01-04 20:23:24 +0000, DaveFroble said:
> Not sure Steve agrees with your concepts. I seem to recall that in the
> past, while he was still with DEC, more than once reading "the
> wizard's" comment to someone who mentioned a problem. "I wish you
> wouldn't have done that."
>
> Or, maybe times have changed ....
Vulnerability and disclosure norms have changed since DEC days.
Dropping zero-days is never been fun for vendors nor for end-users, and
is not something I'd prefer happen to anybody. Zero-days aren't
always obvious to the submitters, too. I've seen some folks post
stuff that was clearly far worse than the person asking the question
had considered or even realized, too. Knowledge spreads fast, too.
Vendors need enough time to analyze and code and test and deploy fixes.
Always have.
Unfortunately, vendors shouldn't be permitted to defer security fixes
arbitrarily. That deferral and the associated silence too often also
effects the end-users and the vendors' own staff and ISVs, though more
subtly.
Some other fixes are like Spectre, and not going to be easy nor cheap.
The coordinated disclosure for Spectre and Meltdown has left a number
of providers — the many folks that weren't included in the discussions
— in a scramble to figure out what's going on and get patches loaded
and reboots scheduled. But spreading the vulnerability knowledge too
widely inevitably produces leaks. Even among those folks and
organizations that are trusted with the disclosure, there's ample
opportunity for the trust to be broken or lost and for the misuse of
the information.
No easy answers here.
Some light reading...
https://www.hackerone.com
https://www.iso.org/standard/45170.html
https://www.first.org/global/sigs/vulnerability-coordination/multiparty/FIRST-Multiparty-Vulnerability-Coordination-v1.0.pdf
Etc.
Vendors and other organizations can probably expect 90 days before
disclosure for most problems, and maybe as much as six months for
massive messes. But everybody needs to expect immediate disclosures —
somebody dropped a zero-day local-privilege escalation in macOS
IOHIDFamily just a few days ago — and with increasingly-faster
deployment cycles necessary for patches.
All of this is undoubtedly just part of what Derrell and other folks at
VSI are working on, too.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list