8 Big Processor Vulnerabilities in 2018

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

100%

[email protected],
User Rank: Author
7/17/2018 | 3:02:32 PM

Excellent overview -- but does it end here?

Nicely summarized the evolution of the biggest hardware-level nightmare of 2018 (I hope I don't have to include "so far"...)

After spending a good part of this year watching our infrastructure engineers and security experts trying to come up with a solid mitigation plan that would not kill our SaaS platform immediately and seeing how our response strategy had to change more than a dozen times as the new and updated kernel patches and CPU microcodes were published and recalled, and new and updated attack vectors and vulnerabilities were discovered, it became literally impossible to keep track of our overall exposure and risks.

Not to mention our enterprise customers, who tried so hard to keep track on our patching progress for the first three months of the year, after which they gave up as the development of this crisis turned into an unmanageable nightmare.

In the end, similarly to how the industry seems to be getting used to the fact that data breaches are the new reality and the overwhelming amount of new incidents does not come out as a surprise anymore, we need to accept that the complexity of today's CPUs, together with the fact that the primary focus of the manufacturers was, is and will be the performance, means that there might be many additional hw-level security flaws to be discovered over the next months and years.

To me, the takeaway is very simple: security and privacy are ongoing end to end process and rather than relying on particular technology or safeguard, we need to continue looking on risks and mitigate them on all the levels, starting by collecting just the minimal data needed - and ending by continuously improving the layered security.

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

US Turning Up the Heat on North Korea's Cyber Threat Operations

Jai Vijayan, Contributing Writer, 9/16/2019

MITRE Releases 2019 List of Top 25 Software Weaknesses

Kelly Sheridan, Staff Editor, Dark Reading, 9/17/2019

WeWork's Wi-Fi Exposed Files, Credentials, Emails

Dark Reading Staff 9/20/2019

Live Events

Webinars

[Video] Shaping the Future of IT CIO Lightning Series - Interop19

[Video] An (Ir)rational Approach to Interoperability - Interop19

Enterprise Connect Conference & Expo 2020 - Registration Now Open!

More Informa Tech Live Events

White Papers

[eBook] It's Time to Embrace the Cloud

Build Your Own SOC or Partner with an MSSP

Security 911: How to Be a Zero-Day Network First Responder

[Guide] Gaining Insights into Hidden & High Priority Threats

Farewell Passwords? The Future of Identity and Authorization

More White Papers

Video

All Videos

Cartoon Contest

Write a Caption, Win a Starbucks Card! Click Here

Latest Comment: "He's too shy to invite me out face to face!"

Cartoon Archive

Current Issue

7 Threats & Disruptive Forces Changing the Face of Cybersecurity

This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

The State of IT Operations and Cybersecurity Operations

Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Here’s some insight on what's working – and what isn't – in the data center.

Download Now!

How Enterprises Are Developing Secure Applications

0 comments

The State of Cyber Security Incident Response

0 comments

How Enterprises Are Attacking the Cybersecurity Problem

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2019-15138
PUBLISHED: 2019-09-20

The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.

CVE-2019-6145
PUBLISHED: 2019-09-20

Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...

CVE-2019-6649
PUBLISHED: 2019-09-20

F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.

CVE-2019-6650
PUBLISHED: 2019-09-20

F5 BIG-IP ASM 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 may expose sensitive information and allow the system configuration to be modified when using non-default settings.

CVE-2014-10396
PUBLISHED: 2019-09-20

The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php.

Terms of Service
Privacy Statement
Legal Entities