1 |
On Wed, Mar 14, 2018 at 3:16 PM, Adam Carter <adamcarter3@×××××.com> wrote: |
2 |
|
3 |
> On Wed, Mar 14, 2018 at 12:32 PM, Philip Webb <purslow@××××××××.net> |
4 |
> wrote: |
5 |
> |
6 |
>> 180313 Ian Zimmerman wrote: |
7 |
>> > https://v.gd/PZkiuR |
8 |
>> > Does anyone know more details? |
9 |
>> |
10 |
>> See LWN. It is being described as a scam by people shorting AMD stock. |
11 |
> |
12 |
> |
13 |
> Dan Guido / Trail of Bits was paid to review the exploits and has |
14 |
> confirmed they work. I don't think he'd burn his reputation on this. |
15 |
> |
16 |
> The language around AMD shares being worth $0 is clearly absurd and that |
17 |
> source should be ignored. |
18 |
> |
19 |
> |
20 |
From http://www.theregister.co.uk/2018/03/13/amd_flaws_analysis/?page=2 |
21 |
|
22 |
Jake Williams, founder and president of Rendition Infosec, commented on the |
23 |
above quoted disclaimer via Twitter |
24 |
<https://twitter.com/MalwareJake/status/973608157208461312>, saying, "I'm |
25 |
pretty well convinced that this is designed to manipulate stock prices. |
26 |
That doesn't make the vulnerabilities fake or any less dangerous (though |
27 |
you need admin access to exploit most)." |
28 |
|
29 |
Arrigo Triulzi, a security consultant based in Switzerland, described |
30 |
<https://twitter.com/cynicalsecurity/status/973591954096381952> the paper |
31 |
as "over-hyped beyond belief" and added, "This is a whitepaper worthy of an |
32 |
ICO [cryptocurrency initial coin offering]. And yes, that is meant to be an |
33 |
insult." |
34 |
|
35 |
Google security researcher Tavis Ormandy, responding to Triulzi wrote |
36 |
<https://twitter.com/taviso/status/973622044200919040>, "Nothing in this |
37 |
paper matters until the attacker has already won so hard it's game over. |
38 |
Not something I'm too interested in, but maybe DFIR [Digital Forensics and |
39 |
Incident Response] people are?" |
40 |
|
41 |
Ormandy is referring to the fact that exploiting these supposed flaws |
42 |
require local administrative access, making them significantly less |
43 |
dangerous than vulnerabilities that can be exploited by a remote, |
44 |
unprivileged user. |