Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> AMD unexpectedly publish patches, earlier than an agreed embargo date.

> As the fix is now public, we propose privately notifying major distributions that they should begin preparing updated firmware packages.

AMD had to drop the ball somewhere didn't it.



It's good that they published patches early, isn't it?


You'd want the delay between first publication of X and the microcode update making its way into releases of OSes to be smallest, for various values of X (mention of a vulnerability, microcode patch, description of vulnerability, PoC). Making various OS releasers aware that a microcode patch that fixes a vulnerability will be published on a given date before that date decreases that for most values of X.


Yes. It was unexpected, but good. Not a complaint.


Uh, okay. I thought the embargo date was set so you could have enough time to inform the distros. Not the case, then.


Won't that theoretically allow malicious actors to study the patch and exploit the now 1-day vulnerability?

Not that I think it's realistic to develop an exploit and gain real value in three days, but theoretically, if all parties had taken more than three days to distribute and apply the patches?


Publishing patches early is good. Publishing patches unexpectedly before embargo isn't.


The second sentence seems to contradict the first.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: