SoylentNews is people
SoylentNews
Experts Predict Record 20,000 CVEs for 2020:
This year could see a record breaking 20,000 vulnerabilities reported, with major increases in mobile bugs already in 2020, according to Skybox Security.
The security vendor's midyear update to its 2020 Vulnerability and Threat Trends Report contains some concerning findings for organizations as they struggle to manage cyber-risk at a time of mass remote working.
With 9000 vulnerabilities reported in the first half of the year, the firm is predicting the final total for 2020 could top twice as much as that. The figure for new CVEs in 2019 was 17,304. Without risk-based automated patch management systems, organizations struggle to mitigate these issues, leaving them exposed to attacks.
Part of this increase is due to a surge in Android OS flaws: these increased 50% year-on-year, according to Skybox.
(Score: 2) by bzipitidoo on Wednesday July 22 2020, @10:18AM (5 children)
There's also too much focus on "security" bugs. This whole idea of classifying bugs into two kinds: those that impact security, and all the rest, overlooks quality. To use an analogy with a building, it can be like worrying that the locks on the doors are in good order and the windows all latch properly, while ignoring that the A/C is broken, and the plumbing leaks. The first thing the occupants are going to do to keep the building as cool as possible is open all the windows and leave them open. It won't matter that the latches work great.
So then people may decide to count a broken A/C as a security issue. Keep going down that slippery slope, and pretty soon, almost every bug is a security issue. Some people are paranoids who contrive to link everything to security. The already dubious distinction is rendered useless.
If anything is like a wide open window, it's MS Windows. MS could do better, but they and their customers do not want to be inconvenienced. Then there's bugs such as the Spectre class of bugs in CPUs. There hasn't been a scramble to fully fix the security issue ASAP. They're only being "mitigated". The risk is low and no one wants to take the performance hit. Most especially, no one wants to go back to 25 year old CPUs that don't have speculative execution and therefore can't have the related vulnerabilities. So much for the overriding importance of security.
(Score: 2) by hendrikboom on Wednesday July 22 2020, @07:55PM
I suspect 15-year old CPUs will do.
(Score: 2) by takyon on Wednesday July 22 2020, @08:04PM (1 child)
Connecting to the internet is the problem.
Keep some computers off of the internet, and some on, with the expectation that the latter group could become compromised. But probably not all at once.
Just have a computer for every single task like that Mojibake Tenga guy.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Thursday July 23 2020, @12:47AM
Or boot off of a read-only USB key with a (customized) live linux distro.
Every reboot is a fresh machine ... (If you check the hashes periodically)
(Score: 2) by hendrikboom on Wednesday July 22 2020, @11:14PM
A nonsecurity bug in one program may well cause a security bug in an otherwise correct program that relies on the first one to behave correctly.
(Score: 0) by Anonymous Coward on Thursday July 23 2020, @12:45AM
I am using a late model single core P4 with Freq scaling of 2.4 to 3.4 Mhz
The cache bugs are there if you try to test for them, but the CPU does not
have enough computing power to get reliable data out of the side channel,
and likely not a deep enough cache to make the attacks useable.