Silicon Shecky

Infosec Practitioner

Connect

We are headed for a Spectre of a Meltdown

By Leave a Comment

Time to talk a bit about Spectre and Meltdown. I know, I touched on these two last week, but there is more to discuss. There are things afoot with these two that have given me some thoughts. No, I do not think the sky is falling.

I am going to start with a little tweet that I saw:

Worrisome? Yes. Sky is falling? No. Outside of a POC with JavaScript, I have heard nothing that does not show these bugs are LOCAL which is even mentioned in the CVEs. Add on they are Data Leak and not RCE (Remote Code Execution for those unfamiliar with the term). This demo shows though that there is code to take advantage of Meltdown/Spectre. Seeing something like this makes me believe that there is code used in the wild that we do not know about yet. So, what we need to do is update ourselves. Keeping an eye on processes through things like CarbonBlack Response or similar types of tools might be able to give us some insight into this sort of exploit happening. Once Alex releases his code, it will be easier to create alerts and watchlists for such activity.

Next up on my parade with Spectre/Meltdown is IoT. We all know that IoT can be difficult at best to update. So much hard coded passwords, or no security really at all in the devices. You might think, so what if my fridge is leaking data? OSINT, passwords for Google or Amazon, what apps do the devices use? There are so man possibilities. Smart TVs, think about that. There people have passwords for Hulu, Amazon, Netflix, etc… let alone viewing history and other data. How fast are patches going to be put out for those items, and will those patches be worse than the potential exploit? Which brings me to the final thought for this post…

Ever heard of the cure being worse than the disease? This statement was a fact with the Microsoft patches. AV could cause blue screening and bricking of systems as well as just having an AMD chip. It has been said that companies like Microsoft had known about Spectre/Meltdown for a couple of months prior to the disclosure. You would think they would have been building and testing patches for it for a while if they did. Instead, it looks like the patches were rushed out. So Microsoft has stopped sending out patches in certain instances. I keep hearing conflicting reports that the key that AV vendors are supposed to put in is required not just for the Spectre/Meltdown patch but without it, all patches will stop (if you have automatic patching set up). That could affect home users big time. Mind you I heard about that from Smashing Security’s podcast on 1/11/18.

Still I maintain that more is being made out of this in the mainstream media in the wrong way. Especially as far as IoT goes, this could be a great tool to start forcing those device makers to do a better job with security overall. Once again though, I think being vigilant is the best solution at this time. Keep our heads up, and watch for the signs, test the fixes, and go about our daily business. Interestingly enough a major security issue with Dell EMC happened and was not mentioned while we have been freaking out about Spectre/Meltdown. Time for us to stop melting down about this one I think.

 

Firefox 5 is out, this is not good.

By Leave a Comment

Mozzila decided to be aggressive with Firefox releases. Not a problem, just keep the old version till add-ons are all compatible. Doesn’t work that way if you want to be secure.

Mozzila announced that Firefox 5 is the security update for Firefox 4. There will be no other updates unless there is a major, and they mean major, security hole. Fine, I have no issues with doing that, keeping people on the latest version, making sure people know that is the way it is. Except for one thing. Only about 80% of the add-ons out there are going to work on Firefox 5.

The issues I have are now pretty simple, but extremely important. They are also why I think Firefox is trying to push itself to extinction. First, Firefox 5 came out today, same day as the announcement about Firefox 4 security updates. Second, one of the add-ons that don’t work in Firefox 5 is for LogMeInRescue, which I use on a very regular basis. I am now forced to use a different browser for supporting clients, because Mozzila decided that to be secure I had to update and break what I need. Not very smart on Mozzila’s part.

This also leads to another issue. People will stop upgrading, just so their add-ons will work. Of course, if they don’t upgrade, they are open to more security problems. Firefox becomes a security threat due to its aggressive upgrade policy. Someone better explain this to the keepers of Firefox.

And the pain of Automagical Updates

By 1 Comment

Before I get started let me say this, I believe in patching, and updating systems and software. It is essential to security fo a system.

That being said, there is something to be said about forcing updated software by calling it a high priority update. Yep, I’m talking about IE8 yet again. Don’t get me wrong, I’ve used it, and for general web browsing, it is ok, although a lot of sites still seem broken when using it.Some of it is because of the higher security settings built into IE8 the rest because a lot of sites are not optimized for IE8 yet.

The problem is that it is listed as a high priority update, and if you have a machine set to automatically install critical updates, it gets automatically installed on your machine. This is totally against the statement from Microsoft that IE8 is optional. The non-tech person does not know to check, nor is expected to know how to decline the installation of something like IE8. All of a sudden this is costing my clients money, due to the fact that they have to pay me to remove IE8 and then reinstall IE7 on their machine.

Yeah, its nice for my revenu, but it makes the IT world look bad overall. Clients jsut want things to work, and I can’t blame them on that. I just want things to work also. Microsoft doesn’t seem to care about anything except market share and money, and with more and more viable options coming out, they better start learning that reputation means everything, and properly working software is the way to get more market share and money.