ZombieLoad - A new but not so new threat
The latest threat to computers is the Zombieload vulnerability.
So many of the known threats to computer devices are because of how the software or hardware was created. The exploits and vulnerabilities we discover are flaws in how the system or code was constructed. Is it possible that we just didn’t have the tools we needed to test for security flaws?
I often wander when a flaw is uncovered if it is because of persistence or if it is uncovered because of a lack of persistence when testing at design stage. Are we more concerned with getting the final product on the self or out in the market that we neglect to consider the possibility that we just built or coded something that can be exploited in a world-wide outbreak affecting millions of users?
I guess there is a bit of irony in being personally affected by a design or piece of code you released into the wild. Or, if you are a company that carries the responsibility of reacting to such a devastation with patches to reach the masses.
Is it enough that there are groups dedicated to finding these flaws before they are discovered by the wrong people? I’m not sure there is a way of knowing, in most cases, if the flaw had been exploited before patches were distributed. For those wanting to do damage or create a monetary leverage it would be to their best interest to find ways to preempt the patches and then find a way to by-pass them.
Of course, they may be vulnerable to the same exploit so let’s not sit idlily by waiting for the bad guys to do end runs around our fixes or to automate discovery on who is not patched.
Cudos to Michael Schwarz, Daniel Gruss and Moritz Lipp