Common Vulnerabilities and Exposures – Not one vendor is better than the other

Now that the Meltdownand Spectre are being highlighted in the press now is a great time to raise awareness of some actual truths about common vulnerabilities and exposures (CVEs). Meltdown and Spectre describe a few of these CVE numbers:

• Variant 1: bounds check bypass (CVE-2017-5753)
• Variant 2: branch target injection (CVE-2017-5715)
• Variant 3: rogue data cache load (CVE-2017-5754)

A CVE is a method of keeping track of vulnerabilities that affect modern computer hardware and from Wikipedia - “The National Cybersecurity FFRDC, operated by the Mitre Corporation, maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security.

What is a vulnerability and how is it different than a virus or malware? A vulnerability is a method or weakness in a system that allows malware or viruses or other malicious code or script to operate. There are also undocumented vulnerabilities that are sold on the black market and are more valuable the more unknown they are and the more systems they affect. Meltdown and Spectre would be a good example if it wasn’t known. The NSA, FSB and other organizations some legitimate other criminal also deal in unknown vulnerabilities and put them into toolkits for use in spying, stealing, surveillance, and other nefarious uses.

THE MOST IMPORTANT THING TO NOTE:

Not one vendor (I’m looking at you Apple fanboys) is better in this regard. All major vendors have been at the top of the CVE list at one year or another.

See thelist pictured in the image above.

To claim that because you have an Apple you don’t need to worry about this security stuff is like saying I’m safe to walk on this volcano because I have fire retardant boots on.

Some vendors only respond to PR when challenged to explain security patches and actively try to hide the CVEs, while others take a mixed approach, and the good ones are completely open.

Also, your mileage will vary depending on how good you are at patching your stuff, so in that regard you should most definitely regularly and purposely patch all your devices. I would recommend a scheduled day.