Comments
Meltdown, Spectre Likely Just Scratch the Surface of Microprocessor Vulnerabilities
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/10/2018 | 6:03:57 PM
Still just vulnerabilities
As bad as these out-of-sequence execution vulnerabilities are (and might prove to be), we saw more than enough monsterously bad cybersecurity breaches in 2017 - without the help of Meltdown, Spectre or any follow-on scenarios. 

We need something better than just chasing down vulnerabilities and patching, to approach any acceptable level of cybersecurity.  
PatrickH94102
50%
50%
PatrickH94102,
User Rank: Apprentice
1/9/2018 | 8:09:34 PM
Re: Another thing to consider
Yup BIOS updates have been a mostly ignored / de-prioritized security risk.  Some new security companies such as Eclypsium are working on BIOS integrity and version reporting & updating for enterprises.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
1/9/2018 | 1:09:33 PM
Re: Another thing to consider
Fortunately most BIOS updates are now operating system - installable items.  I remember the dead, long dead days of Compaq Deskpro with 3.5" floppy disk updates and heaven forbid you interrupt the BIOS load --- dead machine if you do that.  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
1/9/2018 | 10:49:36 AM
Re: Another thing to consider
Firmware updates are going to become a much bigger issue for IT and security folks now for more than just IoT devices. And servers obviously are a priority, so it's going to be interesting.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/9/2018 | 10:45:24 AM
Another thing to consider
BIOS - How many IT professionals regularly update the BIOS of their office systems?  My estimate is easy: never and knowing the threat landscape, there HAS to be vulnerabilities there as well. 


Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-13106
PUBLISHED: 2018-08-15
Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5.0.3, 2017-09-19, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13107
PUBLISHED: 2018-08-15
Live.me - live stream video chat, 3.7.20, 2017-11-06, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13108
PUBLISHED: 2018-08-15
DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13100
PUBLISHED: 2018-08-15
DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.
CVE-2017-13101
PUBLISHED: 2018-08-15
Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-10-03, iOS application uses a hard-coded key for encryption. Data stored using this key can be decrypted by anyone able to access this key.