The bug allows attackers to swipe data from a CPU’s registers. […] the exploit doesn’t require physical hardware access and can be triggered by loading JavaScript on a malicious website.

  • 9488fcea02a9@sh.itjust.works
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    What are the rules on responsible disclosure? Shouldnt they have waited until patches are ready before public disclosure of the exploit?

    • Godort@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      I mean, this was disclosed to AMD a few months back and there actually is a patch available currently for Epyc CPUs.

      It’d be nice if they waited until all the patches were out, but I’d rather this than a full zero-day exploit of this scale in the wild.

      • UnfortunateShort@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 year ago

        It’s very weird it takes them so long to fix this for consumers tbh. You’d think they could just take the snippet from Epyc and patch it into AGESA, since it’s exactly the same architecture. December is hardly acceptable for a critical vulnerability like this.

        This is a great opportunity to remind people that NoScript, HTTPS-only modes and filter lists for malicious websites (to use in your adblock of choice) exist. Use them.

        • Melody Fwygon@lemmy.one
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          This kind of shit is exactly why I use uMatrix as well as uBlock Origin. It allows me to monitor and control 3rd party scripts and allow only what’s needed for a website. If a malicious 3rd party script does happen to get injected into things; I usually notice…especially if it actually breaks shit on the website by not loading it.