Spectre and Meltdown
Interesting that there are no specific mentions of Spectre and Meltdown in the wild yet.
Microsoft, Adobe, and SAP are finishing up the year with a flurry of activity, combining to patch more than 140 CVE-listed security flaws between them. In-the-wild worries from Microsoft The December patch bundle from Microsoft addresses a total of 39 vulnerabilities, including one that is publicly known and another that is …
I believe there have been some Meltdown ones.
Spectre is difficult to exploit. As I understand it, it's really mostly a route to attack those who put some of their eggs in " the cloud" services as the easiest/most reliable Spectre exploits rely on being a VM living on the same host machine as your target.
If you're self-hosted, then an attacker in a position to use Spectre vulnerabilities is also able to use other, faster and more reliable vulnerabilities, or doesn't need to bother because they're already inside the airtight hatchway.
It's still not as bad as getting the patches from Digital Equipment for PDP-11 RSTS/E and sitting there at the la100 typing patches into the patch area, having first typed in the branch to the patch area and finishing with the return branch to the address following the "patched" code.
I can't help wondering what would be the results if the software engineers, and the companies they worked for, put much more emphases on 'getting it right' rather than 'getting it out of the door'. Would Microslurp have the problems with win 10 if they had had at least 2 years of black hat style testing for vulnerabilities before they let it loose on the world?
Having worked in support and distribution at a dealer, for a well known piece of software and received a new version and not been allowed to test it for problems before sending it to customers, I wouldn't blame the software engineers.
It is almost certainly sales and marketing insisting that it needs to be out there NOW so as not to hurt their commissions.
This one sounds like it could be fun. Just imagine, you're yawning your way though the presentation on key strategic objectives for Q2 and Q3 when suddenly the screen comes alive with the sight of command prompt windows springing up and scripts executing, whilst the managers flap about in a panic.
I miss the days of having a service pack- all the updates wrapped up in one giant bundle that one could slipstream into the installer, instead of having to install the OS, manually install a set of patches in order to be able to perform automatic updates. (If you guessed the 'modern' windows 7 scratch build, you may have an internet gold star.)
Granted, the cumulative update model is reasonable enough... provided the machine is able to pull the bloody thing down.
Biting the hand that feeds IT © 1998–2019