undefined | Better HN

0 pointsx0x08y ago0 comments

I came here to ask the same thing. How did these folks squander six months?

0 comments

I think Spectre may have appeared later, after Meltdown? Remember the investigations into what's possible were proceeding in parallel with the attempted fixes.

Also, CPU design changes take a long time. 6 months may seem a long time from the perspective of HackerNews node.js type hackers, but it's a bit harder to patch decades worth of CPU microcode than a website.

hishnash8y ago

Reading over googles project0 page it reads as if they told AMD about the issues on 2017-06-01 why would they do this if it were meltdown only?

also look at the exploit numbering:

Variant 1: bounds check bypass (CVE-2017-5753) Variant 2: branch target injection (CVE-2017-5715) Variant 3: rogue data cache load (CVE-2017-5754)

according to https://cve.mitre.org/cve/identifiers/ this is sequence based so `Variant 2` was recorded to CVE before v1 and v3.

I get it may take a long time (that is fine even if the patches took a few more days), what I don't get is that they released it to production (server) envs seemingly without testing. Surely even rudimentary testing (deploying on a few 1000 different server platforms for a few hours at least should be something that Intel does for all microcode updates, after all they are rather more important than js Node packages as you point out)

peoplewindow8y ago

I haven't heard of microcode updates that hurt stability before. Presumably the collapse of the embargo caused them to do an accelerated release, skipping their usual long testing cycle.

vbernat8y ago

Currently, they are not patching a decade worth of CPU microcodes since we have 0 working microcode. And, previously, released microcodes were only down to Ivy Bridge EP (~2014).

j / k navigate · click thread line to collapse

0 comments

peoplewindow8y ago

I think Spectre may have appeared later, after Meltdown? Remember the investigations into what's possible were proceeding in parallel with the attempted fixes.

hishnash8y ago

Reading over googles project0 page it reads as if they told AMD about the issues on 2017-06-01 why would they do this if it were meltdown only?

also look at the exploit numbering:

Variant 1: bounds check bypass (CVE-2017-5753) Variant 2: branch target injection (CVE-2017-5715) Variant 3: rogue data cache load (CVE-2017-5754)

according to https://cve.mitre.org/cve/identifiers/ this is sequence based so `Variant 2` was recorded to CVE before v1 and v3.

peoplewindow8y ago

I haven't heard of microcode updates that hurt stability before. Presumably the collapse of the embargo caused them to do an accelerated release, skipping their usual long testing cycle.

vbernat8y ago

Currently, they are not patching a decade worth of CPU microcodes since we have 0 working microcode. And, previously, released microcodes were only down to Ivy Bridge EP (~2014).

j / k navigate · click thread line to collapse