| 1 |
On Wed, Mar 14, 2018 at 3:16 PM, Adam Carter <adamcarter3@×××××.com> wrote: |
| 2 |
|
| 3 |
> On Wed, Mar 14, 2018 at 12:32 PM, Philip Webb <purslow@××××××××.net> |
| 4 |
> wrote: |
| 5 |
> |
| 6 |
>> 180313 Ian Zimmerman wrote: |
| 7 |
>> > https://v.gd/PZkiuR |
| 8 |
>> > Does anyone know more details? |
| 9 |
>> |
| 10 |
>> See LWN. It is being described as a scam by people shorting AMD stock. |
| 11 |
> |
| 12 |
> |
| 13 |
> Dan Guido / Trail of Bits was paid to review the exploits and has |
| 14 |
> confirmed they work. I don't think he'd burn his reputation on this. |
| 15 |
> |
| 16 |
> The language around AMD shares being worth $0 is clearly absurd and that |
| 17 |
> source should be ignored. |
| 18 |
> |
| 19 |
> |
| 20 |
From http://www.theregister.co.uk/2018/03/13/amd_flaws_analysis/?page=2 |
| 21 |
|
| 22 |
Jake Williams, founder and president of Rendition Infosec, commented on the |
| 23 |
above quoted disclaimer via Twitter |
| 24 |
<https://twitter.com/MalwareJake/status/973608157208461312>, saying, "I'm |
| 25 |
pretty well convinced that this is designed to manipulate stock prices. |
| 26 |
That doesn't make the vulnerabilities fake or any less dangerous (though |
| 27 |
you need admin access to exploit most)." |
| 28 |
|
| 29 |
Arrigo Triulzi, a security consultant based in Switzerland, described |
| 30 |
<https://twitter.com/cynicalsecurity/status/973591954096381952> the paper |
| 31 |
as "over-hyped beyond belief" and added, "This is a whitepaper worthy of an |
| 32 |
ICO [cryptocurrency initial coin offering]. And yes, that is meant to be an |
| 33 |
insult." |
| 34 |
|
| 35 |
Google security researcher Tavis Ormandy, responding to Triulzi wrote |
| 36 |
<https://twitter.com/taviso/status/973622044200919040>, "Nothing in this |
| 37 |
paper matters until the attacker has already won so hard it's game over. |
| 38 |
Not something I'm too interested in, but maybe DFIR [Digital Forensics and |
| 39 |
Incident Response] people are?" |
| 40 |
|
| 41 |
Ormandy is referring to the fact that exploiting these supposed flaws |
| 42 |
require local administrative access, making them significantly less |
| 43 |
dangerous than vulnerabilities that can be exploited by a remote, |
| 44 |
unprivileged user. |
Archives