Common Vulnerabilities and Exposures – Not one vendor is better than the other
Now that the Meltdownand Spectre are being highlighted in the press now is a great time to raise
awareness of some actual truths about common vulnerabilities and exposures
(CVEs). Meltdown and Spectre describe a few of these CVE numbers:
- Variant 1: bounds check bypass (CVE-2017-5753)
- Variant 2: branch target injection (CVE-2017-5715)
- Variant 3: rogue data cache load (CVE-2017-5754)
A CVE is a method of keeping track of vulnerabilities that affect
modern computer hardware and from Wikipedia
- “The National Cybersecurity FFRDC, operated by the Mitre Corporation,
maintains the system, with funding from the National Cyber Security Division of
the United States Department of Homeland Security.
What is a vulnerability and how is it different than a virus or
malware? A vulnerability is a method or weakness in a system that allows
malware or viruses or other malicious code or script to operate. There are also
undocumented vulnerabilities that are sold
on the black market and are more valuable the more unknown they are and the
more systems they affect. Meltdown and Spectre would be a good example if it
wasn’t known. The NSA, FSB and other organizations some legitimate other
criminal also deal in unknown vulnerabilities and put them into toolkits
for use in spying, stealing, surveillance, and other nefarious uses.
THE MOST IMPORTANT THING TO NOTE:
Not one vendor (I’m looking at you Apple fanboys) is better in
this regard. All major vendors have been at the top of the CVE list at one year or
another.
To claim that because you have an Apple you don’t need to worry
about this security stuff is like saying I’m safe to walk on this volcano
because I have fire retardant boots on.
Some vendors only respond to PR when challenged to explain
security patches and actively try to hide the CVEs, while others take a mixed approach,
and the good ones are completely open.
Also, your mileage will vary depending on how good you are at
patching your stuff, so in that regard you should most definitely regularly and
purposely patch all your devices. I would recommend a scheduled day.
Comments
Post a Comment