Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Risk Based Security brings some sanity to the Meltdown debacle

    Posted on January 9th, 2018 at 15:52 woody Comment on the AskWoody Lounge

    I just finished reading this article, recommended by Kevin Beaumont. The Slow Burn of Meltdown and Spectre: Exploits, Lawsuits, and Perspective.

    Here’s the conclusion:

    Vulnerabilities are disclosed every day, to the tune of over 20,000 new disclosures in 2017 alone. Just because a vulnerability receives a name, a website, and/or a marketing campaign does not necessarily mean it is high risk or that it will impact your organization. As always, we strongly encourage organizations to cut through the noise and focus on the details relevant to them, and make a decision based on that alone.

    I repeat – forgive me if you’ve heard this before – but there are NO KNOWN Meltdown or Spectre exploits in the wild. Folks who run servers with sensitive data — banks, brokerage houses, military contractors, cryptocurrency exchanges — need to be concerned about Meltdown and Spectre in the near term, realizing that the data can only be snooped if you allow an unauthorized program to run on your server.

    For everybody else, the first attacks (if there ever are any) are likely to come through web browsers. You need to harden your browser as soon as the update is available. You’ll want to install the new Windows patches as soon as they pass muster. And you need to get your BIOS or UEFI updated one of these days. But there’s no big rush.

    What you’re witnessing is a colossal “Sky is Falling” routine, aided and abetted by folks who are going to make money from the havoc.

  • January security patches are out

    Posted on January 9th, 2018 at 12:22 woody Comment on the AskWoody Lounge

    The Release Notes are up. A total of 93 separate patches.

    SANS Internet Storm Center posted its usual list. 

    No known exploits.

    Weird. The Jan. 3 patches are listed in the Update Summary Guide as Jan. 9.

    Holy Guacamole, Bitman. Martin Brinkmann just posted his overview at ghacks.net and it goes on for pages and pages and pages.

    There’s some confusion about the Equation Editor vulnerability. You may recall that the original hole, CVE-2017-11882, was patched in November. This new patch, for CVE-2018-0802, takes the nuclear option — it removes Equation Editor from Word. @yuhong2 advises on Twitter that the Eqn Editor EXE turns into 0 bytes, so it’s even dead with WordPad.

    UPDATE: It looks like the Equation Editor patch is the only patch in this month’s crop that has known exploits.

  • Microsoft yanks all of this month’s Windows patches for “devices with impacted AMD processors”

    Posted on January 9th, 2018 at 05:49 woody Comment on the AskWoody Lounge

    Let’s hear it for beta testing.

    Early this morning, Microsoft officially announced that it was pulling all of this month’s Meltdown/Spectre patches for folks with AMD processors.

    That’s just the tip of the iceberg.

    Computerworld Woody on Windows.

    UPDATE: Kevin Beaumont has a sobering report on the status of antivirus vendors cooperating (or not) with Microsoft:

    this has been incredibly messy for everybody involved. My belief is organisations shouldn’t rush these patches out. They need to carefully test and see where they need to mitigate the vulnerability.

    As I’ve said many, many times before, there’s no reason to install any of the patches yet. In spite of what you saw on TV, or read in the newspaper — or what you heard from a Windows security “expert.”