Great quote....but that's like buying shoes that hurt your feet for the first year!
Great quote....but that's like buying shoes that hurt your feet for the first year!
I like this idea. It's a good safety check, to make sure the update is legit. A changelog won't last very long on the official site, if it was put up by hackers. On the other hand, if they did hack the updating system, they can just leave the changelog to display on the site, and upload their rogue file to replace the legit one.People should only maintain their software only after a changelog was posted for a while
That would require for them to have access to that resource for a while and wait for a new release and then hope none notices the file got changed. I don't think anyone will accept all this risk to get a few weirdos that don't auto update.I like this idea. It's a good safety check, to make sure the update is legit. A changelog won't last very long on the official site, if it was put up by hackers. On the other hand, if they did hack the updating system, they can just leave the changelog to display on the site, and upload their rogue file to replace the legit one.
Depends on the user. For me there is a higher risk in update poisoning as I don't download random crap to abuse the unpatched software and remote exploits are not something that will happen.Updates often have security fixes. Isn't the risk of unpatched software greater than the risk of update poisoning?
Sometimes, software is discovered to be inherently flawed, For instance, Logitech recently had to patch their software for this reasonThat would require for them to have access to that resource for a while and wait for a new release and then hope none notices the file got changed. I don't think anyone will accept all this risk to get a few weirdos that don't auto update.
Depends on the user. For me there is a higher risk in update poisoning as I don't download random crap to abuse the unpatched software and remote exploits are not something that will happen.
I use the same logitech software but after I setup my keys and speed I remove it. Maybe your device doesn't have onboard memory to save the profile.Sometimes, software is discovered to be inherently flawed, For instance, Logitech recently had to patch their software for this reason
Project Zero finds Logitech Options app critically flawed
I actually had this software on my computer.
So your strategy is good for you, since you keep your system lean in the first place, and and also read the security news. But I think that for non-experts, it is better to take software updates as they are offered.
In this ASUS incident, and also the CCleaner one, the backdoor was actively used only on a small number of machines. This indicates that they are after info from a high-value target, and us little guys are relatively safe.
Even GB's SW was hacked and shipped with signed malware firmware.I have an ASUS Mobo, and this gives me one more good reason to get a Gigabyte next time . Fortunately, I don't have ASUS's garbage software installed.
I assume that all the AVs will soon be detecting it.
True.These days we don't need tools like that because BIOS update is rarely needed!
ASUS Live Update version 3.6.8 contains the aforementioned fixes, the hardware vendor announced in a press release today.
The company said ASUS Live Update v3.6.8 "introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism."
ASUS also said it updated and strengthened its "server-to-end-user software architecture to prevent similar attacks from happening in the future."
Do you have one and is it hardened?If you haven't switched to a Chromebook yet, now would be a good time.
I do agree old bios and mobos are good but the new one's are buggy there are many articles related to this...and regarding support while Intel published Spectre and meltdown update ASRock and MSI updated their 2nd gen CPU bios but Asus didn't also they have not provided windows 10 drivers update. I asked them about this they told me they only support a mobo for 3 years only...now this might be region specific but I have faced this...If you have problems with ASUS BIOS, you have problems with ASUS MBs in general. I actually been using ASUS MBs for over a decade and never had a single problem with their BIOS updates, in fact they one of the few MBs suppliers who actually support and update their BIOS for years.
Then again this is 2019, there are no MBs with BIOS on the market.
Please note that the compromised software was an optional install, it was not part of the firmware. It was what many of us would call "bloatware", most people did not even install it in the first place.So, I guess this is an example of when formatting the harddrive would have made no difference at all.
It comes preinstalled on all ASUS laptops.Please note that the compromised software was an optional install
Thanks, I didn't know that. I have an ASUS mobo but it is a custom-built desktop. Yeah, laptops come with potentially dangerous bloatware, that's the way it is.It comes preinstalled on all ASUS laptops.
But it can be uninstalled and that's the first I remove regardless of any laptop brands. Those aren't needed anymore but faulty firmware and updates are now shipped through windows update. Atleast Linux based capsule updates fwupdmgr does better job.Thanks, I didn't know that. I have an ASUS mobo but it is a custom-built desktop. Yeah, laptops come with potentially dangerous bloatware, that's the way it is.
Most of the targeted MAC addresses are used by ASUStek, Intel, and AzureWave devices.
Security researchers from Skylight Cyber have published today a list containing the 583 MAC addresses that hackers had targeted using the recent ASUS hack.