5

Both the Meltdown and Spectre vulnerabilities were publicly disclosed on January 3, 2018. (6 days ahead of the originally planned January 9).

Since their public reveal, there has been some confusion between the two vulnerabilities and what the differences are. While the two bugs are reportedly similar, it has been made clear that these are two separate vulnerabilities with different requirements for mitigation.

It seems strange to reveal two critical industry-wide vulnerabilities simultaneously. Are vulnerabilities like these usually unveiled in pairs? Wouldn't it make more sense to unveil the vulnerabilities separately to prevent confusion?

Why were Meltdown and Spectre disclosed at the same time? Why not treat them as two distinct issues?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Stevoisiak
  • 1,515
  • 1
  • 11
  • 27
  • The wiki you link explains the reasoning ... "The same research teams that discovered Meltdown also discovered a related CPU security vulnerability now called Spectre" – schroeder Jan 09 '18 at 15:05
  • The link also explains the need for disclosure ahead of time, which also points to the need to disclose both at the same time: patches were being released and people were wondering why the new patches were there. – schroeder Jan 09 '18 at 15:08
  • Do you believe that lowering potential confusion is a higher value than getting such an important vulnerability fixed? How much time should elapse before the 2nd vuln should be announced and be open to exploitation? – schroeder Jan 09 '18 at 15:36
  • @schroeder I may have explained myself poorly. I was more so asking why the two were grouped together as a [single coordinated disclosure](https://meltdownattack.com/), rather than being presented as two separate exploits that happened to be discovered simultaneously. – Stevoisiak Jan 09 '18 at 16:00
  • Don't you think that the same teams, disclosing the same huge threat, on the same targets (chips) being disclosed separately would cause *more* confusion? "I just heard about Meltdown!" "Really? I just heard about Spectre!" – schroeder Jan 09 '18 at 16:28
  • "The same research teams that discovered Meltdown also discovered a related CPU security vulnerability now called Spectre" – schroeder Jan 09 '18 at 16:50
  • https://www.theverge.com/2018/1/11/16878670/meltdown-spectre-disclosure-embargo-google-microsoft-linux – Hector Jan 16 '18 at 09:06

1 Answers1

11

*Update: This article seems to cover everything.

The attack papers share many of the same authors and use similar but previously unknown attack vectors.

Both exploits resulted from the same (or at least inter-related) bodies of research. Both were initially reported on the same date (2017-02-01) - CVE-2017-5754, CVE-2017-5753, CVE-2017-5715

So assuming you view both of an equivalent seriousness it makes sense the embargo / disclosure period were the same for each. Seeing as both were reported on the same day you would expect both to be publicly released at the same time.

Meanwhile from the authors perspective were one to be released earlier it would have clearly got the majority of the press attention. It seems like a fairer approach for both parties to be equally recognised.

Hector
  • 10,893
  • 3
  • 41
  • 44