Trying to construct a timeline of #Spectre #Meltdown, because some things don’t compute. This post will be updated! If you want to add/correct something, please comment.

The CVE numbers 2017-5715, 2017-5753 and 2017-5754 are assigned to/reserved by Intel. (I guess they asked for being assigned a range).

Bosman et al publish their findings how ASLR can be abused on cachebased architectures at the NDSS Symposium. [5]

Some time before June, 2017
The two attack vectors, now combined as #Spectre, are independently found by Google’s Project Zero researchers and researchers from the academic world. [1]

The findings are shared with Intel, AMD and Arm. [1] footnote 1

Some time before 2017-07-28
#Meltdown attack vector is identified and shared with Intel (also AMD, ARM?) (by the same group?) [1] footnote 1

Anders Fogh publishes his #Meltdown findings (found independently?) called “Negative Result: Reading Kernel Memory From User Mode” [3]

Intel informs partners and other interested parties under NDA. [2]

The CRD (Coordinated Release Date) is agreed upon to be 2018-01-09 by many parties involved. [2]

Apple releases iOS 11.2, MacOS 10.13.2 and TVos 11.2. These update contain fixes for #Spectre but that is not mentioned in the release notes.

The sweetpython post appears, speculating about what’s behind the Linux kernel patches called PTI [4]

The Register publishes an article titled “Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign” that puts enough of the information together. [6]

Bosman posts on Twitter about a working reproducer for #Meltdown [7]

Google breaks the agreed CRD and makes everything public. Amazon, Google, Microsoft declare their respective clouds are patched and safe.









Have your say!