Gotta love Slackware :-)
In the last week of the year there were also updates for Python, Samba, expat, and openssh ... I eyeball the changelogs pretty much daily, takes no time. See:
Slackware has raced out of the blocks in 2017, issuing one patch for the libpng image library on New Year's Day, and two Mozilla patches. The libpng bug got its Common Vulnerabilities and Exposures number, CVE-2016-10087, on December 30. Slackware's announcement says the bug can't be exploited without active user input. The “ …
It doesn't matter how long you've been using the library without any problems, the potential is still there for a hack. Kudos to Slackware for fixing it, but how many more bugs are out there just waiting discovery? Or are currently known and exploited by the State?
Moving on, I think we need to reexamine the way software gets written and tested - because our current methods aren't working. Today's #1 defense is to "run it in a sandbox" ... so of course the #1 hack is to break out of the sandbox - duh, we didn't see that coming?
I'd say the longer you've been running a particular software, the more likely a bug like this actually is.
People don't get that the software attack surface might be static, but the attacks used against it are constantly evolving. No matter whether you update every day, every month, or not at all, it makes little difference (some, but little) as almost every new attack is just that - new.
And leaving software alone because "it just works" is missing the point. It still needs to be isolated and protected from any form of input, usually by devices and interfaces that ARE updated regularly and religiously.
The amount of embedded device code on a network is scary nowadays, which is why you have to make sure that your frontline and your users are behaving themselves and kept up-to-date against all these kinds of things. You have to come in at a zero-trust angle in order to stand any chance.
Just because something's worked fine for 10 years does NOT mean that it's safe. It means it's got ten years worth of attacks against it that it was never designed to combat.
Biting the hand that feeds IT © 1998–2019