[derefr]

This assumes that either 1. partners and interested sponsor-state state actors aren't kept abreast Intel's microcode backend architecture, or 2. that there hasn't been at least one leak of this information from one of these partners into the hands of interested APT developers. I wouldn't put strong faith in either of these assumptions.

[ajross]

It does, but the same is true for virtually any such crash vulnerability. The question was whether this was a "valuable exploit", not whether it might theoretically be worse.

The space of theoretically-very-bad attacks is much larger than practical ones people will pay for, c.f. rowhammer.

[ethbr1]

>> Getting to a vulnerability would require understanding exactly how the corrupted microcode state works, and that seems extremely difficult outside of Intel.

Intel knows exactly how their ROB works.

Therefore Intel knows the possible consequences of this bug and how to trigger them.

If there is a privilege execution path from this, Intel knows. And anyone Intel chose to share it with knew.

Thankfully, since it's public now, the value of that decreases and customers can begin to mitigate.

[ajross]

> If there is a privilege execution path from this, Intel knows. And anyone Intel chose to share it with knew.

No, or at least not yet. I mean, I've written plenty of bugs. More than I can count. How many of them were genuine security vulnerabilities if properly exploited? Probably not zero. But... I don't know. And I wrote the code!

[saagarjha]

Intel said it can be used for escalation if that answers your question.

[lmm]

Did they confirm that it can definitely be used for escalation? The description I saw was "may allow an authenticated user to potentially enable escalation of privilege and/or information disclosure and/or denial of service via local access" which sounds like they're covering all their bases and may not actually know what is and isn't possible.