Intel Says to Stop Applying Problematic Spectre, ...

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

50%

Joe Stanganelli,
User Rank: Ninja
1/24/2018 | 9:48:30 PM

Re: What's the score?

@Brian: Well, sure, technically, it is the awareness of an issue that presents a problem more directly than the problem itself. Scrodinger's Vulnerability, I suppose.

But, of course, for all anyone knows, the vulnerability has already been exploited in the wild (and, if so, very possibly even by nation-state actors, who would probably be the best poised to have known about the vulnerability and have done so -- especially without you finding out about it).

Sure, good coordination has to go into vulnerabilty announcements and patch processes, but because this particular vulnerability is so disastrous and severe, it would be hard for much of the population to not take a Chicken Little approach here. It's a pretty bad vulnerability.

Reply | Post Message | Messages List | Start a Board

50%

BrianN060,
User Rank: Ninja
1/24/2018 | 12:38:29 AM

Re: What's the score?

@Joe: "The chaos stems more from the fact of the existence of the vulnerability." From the existence, or the manner of itheir being made public? The vulnerabilities (or the design decisions which would become vulnerabilities once cyber-technologies and use patterns would make them such), existed for decades. Not being an insider, I only became aware of the issue with the media disclosure (and via sites like DR). That's when the chaos began.

I wasn't talking about balancing likelihood against severity (akin to gambling, in my opinion), but the realized cost of the uncoordinated efforts at mitigation, against as yet unobserved exploitation. It didn't have to play out like this.

To your other points: agreed - the bungled and disjointed patches and updates are unfortunate, for the reasons you mentioned.

Your comments @Ryan: also agreed - a holistic approach is required; especially as attacks become more sophisticated and use multiple vectors.

Reply | Post Message | Messages List | Start a Board

50%

Joe Stanganelli,
User Rank: Ninja
1/23/2018 | 11:10:08 PM

Patches beget patches

This is grossly unfortunate because the very reason many people are wary of updates that are non-security or partial-security related is because of severe bugs that are usually hiding in a rushed rollout (q.v. iOS). To see this in the strictly security patch context where the severity is so high is particularly disheartening and may cause people to take the issue less seriously, I wonder.

Reply | Post Message | Messages List | Start a Board

50%

Joe Stanganelli,
User Rank: Ninja
1/23/2018 | 11:08:16 PM

Re: What's the score?

@Ryan: Yeah, but the thing is that many attacks really are "insider attacks" because even so many "outsider" attacks require compromising "insider" credentials. So it's a matter of treating this holistically and in depth as opposed to an "M&M security" approach (hard on the outside, soft in the middle).

Reply | Post Message | Messages List | Start a Board

50%

Joe Stanganelli,
User Rank: Ninja
1/23/2018 | 11:06:31 PM

Re: What's the score?

@Brian: The chaos stems more from the fact of the existence of the vulnerability. I'm not really sure that the question is well-founded given that the flaw is desperately serious.

Sure, risk management is all about assessing likelihood just as well as severity, but in this case severity is so high that it overshadows any probability rating that any accepted threat model could slap on it.

Reply | Post Message | Messages List | Start a Board

50%

RyanSepe,
User Rank: Ninja
1/23/2018 | 8:20:21 AM

Re: What's the score?

That's a good question that I would be interested in as well. Although this vulnerability affects a majority of devices the greatest risk, outside of affected DMZ devices, are users already inside of your network. Essentially it allows for persistent listeners to take advantage of an easy exploit when it may have taken them a while to figure out how to traverse the network.

Reply | Post Message | Messages List | Start a Board

50%

BrianN060,
User Rank: Ninja
1/23/2018 | 1:10:27 AM

What's the score?

The DR staff are better informed than I am; but has any of the cost and chaos of Meltdown/Spectre mitigation yet been shown to have thwarted a single attempted explotation? Put another way, have those that haven't bothered to lift a finger to prevent M/S exploitation paid the price for their indifference? One more question: how would you rate the handling of the M/S issue, from first discovery of the vulnerabilities, to the press leaks, public announcement, vendor reaction and community response - so far?

Reply | Post Message | Messages List | Start a Board

Editors' Choice

Enterprises Remain Riddled With Overprivileged Users -- and Attackers Know It

Robert Lemos, Contributing Writer, 4/1/2021

Inside the Ransomware Campaigns Targeting Exchange Servers

Kelly Sheridan, Staff Editor, Dark Reading, 4/2/2021

Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain

Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia, 3/30/2021

Live Events

Webinars

Cybersecurity Risk Management FREE Event 4/22

Using MS Teams as Your Phone System - FREE Event 4/14

Earn (ISC)2 CPEs at Interop Digital, April 29

More Informa Tech Live Events

White Papers

What Elite Threat Hunters See That Others Miss: Case Study

Are We Cyber-Resilient? The Key Question Every Organization Must Answer

SANS 2021 Cyber Threat Intelligence Survey

The Essential Guide to Securing Remote Access

Develop an Effective Prevention Strategy Designed for Virtual Desktop Infrastructure

More White Papers

Cartoon

Post a Comment

Cartoon Archive

Current Issue

2021 Top Enterprise IT Trends

We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

Battle for the Endpoint

How to build a new cyber strategy for 2021 and beyond.

Download Now!

How Enterprises are Developing Secure Applications

0 comments

Assessing Cybersecurity Risk in Today's Enterprises

0 comments

The Malware Threat Landscape

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2021-30480
PUBLISHED: 2021-04-09

Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...

CVE-2021-21194
PUBLISHED: 2021-04-09

Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2021-21195
PUBLISHED: 2021-04-09

Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2021-21196
PUBLISHED: 2021-04-09

Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2021-21197
PUBLISHED: 2021-04-09

Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]