We have one public disclosure of exploit code this week for
a previously disclosed Schneider vulnerability. I have also seen some
interesting discussions (without any details as they have not yet been
disclosed) on the next generation of Spectre vulnerabilities (ingeniously
called Spectre NG).
Schneider Exploit
Tenable posted
a very short proof of concept exploit to ExploitDB.com for the Schneider InduSoft
Web Studio and InTouch Machine Edition. This stack-based buffer overflow
vulnerability was
reported last month.
Tenable initially reported the vulnerability to Schneider
and received credit for that coordinated disclosure in both the ICS-CERT and
Schneider advisories. They received a lot more press (see here
for example), however, this week when they released the exploit code for a
vulnerability that both ICS-CERT and Schneider noted was exploitable by a
relatively low-skilled attacker without the aid of a publicly disclosed exploit.
Spectre NG
There has been a number of press reports (see here,
here
and here
for example) about the Spectre NG vulnerabilities in the Intel chips. In what
appears to be the initial public reporting of these new chip vulnerabilities, Jürgen
Schmidt reported
that “eight new security flaws in Intel CPUs have already been reported to the
manufacturer by several teams of researchers”.
Jurgen also notes:
“An end to patches for hardware
problems of the Spectre category is not in sight. But a never-ending flood of
patches is not an acceptable solution. You can't shrug off the fact that the
core component of our entire IT infrastructure has a fundamental security
problem that will keep leading to more problems.”
This is a legacy issue that will be around for a long time.
Posts
No comments:
Post a Comment