SoylentNews is people
SoylentNews
Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code.
The vuln was revealed publicly in June by Trend Micro's Zero Day Initiative (ZDI) following six months spent chivvying Netgear behind the scenes to take it seriously.
Keen-eyed Reg readers, however, noticed that Netgear quietly declared 45 of the affected products as "outside the security support period" – meaning those items won't be updated to protect them against the vuln.
America's Carnegie-Mellon University summarised the vuln in a note from its Software Engineering Institute: "Multiple Netgear devices contain a stack buffer overflow in the httpd web server's handling of upgrade_check.cgi, which may allow for unauthenticated remote code execution with root privileges."
[...] With today's revelation that 45 largely consumer and SME-grade items will never be patched, Netgear faces questions over its commitment to older product lines. Such questions have begun to be addressed in Britain by calls from government agencies for new laws forcing manufacturers to reveal devices' design lifespans at the point of purchase.
Brian Gorenc, Trend Micro's senior director of vulnerability research and head of ZDI, told The Register in a statement: "Consumers should always ensure their devices are still supported by their manufacturers. They should also check the available support before purchasing a device. Unfortunately, there are too many examples of vendors abandoning devices that are still in wide use – sometimes even when they are still available to purchase. We hope vendors clearly communicate their support and lifecycle policies so that consumers can make educated choices."
(Score: 0) by Anonymous Coward on Saturday August 01 2020, @03:03AM (1 child)
Start making Netgear liabble for the losses. Make it the law that if a security vulnerability was found, that you can send the Geeksquad bill to Netgear to be paid. Better yet, make it so Geeksquad can send the bill. Similar to non-voluntary recalls in the auto industry. Netgear doesn't want to fix it? Zero immunity to lawsuits.
At some point, security is going to have to be mandated, certified, and regulated. We are so well past the point where we need a National Algorithm Repository, and groups like DD-WRT, Openrouter, Tomatoe, pfSense, should be getting subsidies from the government. Personally, the NSA needs to stop with the fucking mass surveillance, and start acting like a National Pen Tester.
Netgear, et al, should be in the hardware business only. If the only exception for liability is to be a FOSS company that utilizes a National Algorithm Repository, then that will make it exceptionally fucking serious to be running a security firm for profit. When the possible repair fees could rack up into the hundreds of millions of dollars, I'm betting that the state of security will go up. Meaning, instead of hookers and blow, those executives will be heavily incentivized to spend 10 million dollars on various pen testing groups.
That would be the last exception to the rule; Security budgets in excess of 20% Gross Revenue (NOT net profits which can be gamed), that are spent on outside independent pen testing groups, grants you immunity from lawsuits. You demonstrate meaningful peer review of code, and good faith effort, you get rewarded for it.
(Score: 2) by Opportunist on Saturday August 01 2020, @10:42AM
Yeah, let's make someone else pay for you being too lazy to keep your equipment secure. That will teach them... to not sell that equipment to you, mostly. Because if you hold me liable for your own stupidity, I will refuse to do business with you, simply because it's a guaranteed loss for me.