Slyguy

Level 43
Any home user with a default/deny setup doesn't have to get all bent out of shape over these kernel vulnerabilities. Malware won't exploit a vulnerability on your system if it can't run in the first place.
I wouldn't be so sure about this. Also, the latest string of major issues (KRACK, etc) all seem to indicate much of security has been theater.

Anyone downplaying this for consumers and their individual machines is probably accurate. However the damage and issues here for enterprise can't really be downplayed. Patch Tuesday should be interesting, we have all hands on deck for it. In early test patching the impact on VM's and SQL hasn't been pretty and remember, the majority of 'out there' relies on VM's and SQL. I'm sure Azure has enough spare horsepower to ratchet up their VM allocations to compensate but many (most?) companies don't.

I have the resources to replace all of my homes hardware, if needed. But it just so happens all of this fell on the normal 3 year refresh on my notebooks so all of it was due to be replaced over the next few months anyway. This just accelerated all of it and gave me a reason to un-lazy myself on the matter. As of 11PM EST last night we don't have a single Intel CPU in the home. However I admit I am probably a much fatter target than the general public so it's more pertinent for me.
 
Last edited:
5

509322

If a user has a default/deny setup, chances are he can handle the challenge of enabling a Chrome flag. If he does not have a default/deny setup, then he has plenty of other potential issues to worry about, besides this.
Only the more sophisticated are interested in this because they are the ones with the resources to leverage it. Think nation states - meaning intel agencies and their sponsored networks. The talented, the well organized, the well funded. You get the picture.

Typical malc0der isn't going to be pursuing Speculation and Meltdown.
 
Last edited by a moderator:

shmu26

Level 84
Verified
Trusted
Content Creator
I don't think this is accurate since there seems to be some evidence this can be exploited through malicious web pages, iFrames, Javascript and potentially in ways still yet to be discovered. A Default-Deny isn't going to do much of anything really, and all of this has rendered a wide array of security protocols as security theater.
It's pretty easy to protect your browser, so the web attack vector is not a big deal. But if they figure out how to weaponize Word or PDF docs, without using script interpreters, that will pose a problem even for default/deny users. It probably will require a patch from the software vendor, i.e., Microsoft Office or Adobe Reader or whatever.
 
5

509322

It's pretty easy to protect your browser, so the web attack vector is not a big deal. But if they figure out how to weaponize Word or PDF docs, without using script interpreters, that will pose a problem even for default/deny users. It probably will require a patch from the software vendor, i.e., Microsoft Office or Adobe Reader or whatever.
That's a super easy no brainer for the home user - which they should have been doing long before this all happened - don't use Microsoft Office.

Security is super easy as long as you're willing to get yourself out of the way. Most of the time it is people's own stubbornness that prevents them from being secure. I deal with this all the time with advising people regarding our own product.
 

Slyguy

Level 43
That's a super easy no brainer for the home user - which they should have been doing long before this all happened - don't use Microsoft Office.
Honestly, I thought I was alone in the wilderness telling home users to not use Microsoft Office.. I've been saying it for YEARS. Obviously based on the fact that we see MSO as a primary target for attackers in the enterprise field and a lot of ITW focus on exploiting MSO. Install Libre or something...
 
5

509322

Honestly, I thought I was alone in the wilderness telling home users to not use Microsoft Office.. I've been saying it for YEARS. Obviously based on the fact that we see MSO as a primary target for attackers in the enterprise field and a lot of ITW focus on exploiting MSO. Install Libre or something...
It's even easier than that. They shouldn't be using Windows. They should be using Chromebook. And don't use Android !!
 

shmu26

Level 84
Verified
Trusted
Content Creator
That's a super easy no brainer for the home user - which they should have been doing long before this all happened - don't use Microsoft Office.
That's good advice for the true home users, but some of us work-from-home professionals need the advanced tools in MS Office, and also, when you share documents with colleagues, there are formatting problems if you are not using the same platform.
 
5

509322

That's good advice for the true home users, but some of us work-from-home professionals need the advanced tools in MS Office, and also, when you share documents with colleagues, there are formatting problems if you are not using the same platform.
You can try Kingsoft WPS. It does quite a good job of opening Microsoft Office documents. The formatting is not always 100 %.

Can you make WPS work for you personally ? You have to trial it.

At some point people have to decide what is more important; convenience or security. People want it all but life doesn't work that way - not even for the most powerfully rich.

Although let's make an exception if your livelihood depends upon a software like Microsoft Office. Let's say all your colleagues and customers use Microsoft Office. Let's be realistic. In all likelihood, you need to use Microsoft Office. In that case, you are at the mercy of Microsoft and its Extended Engineering Division.
 

Slyguy

Level 43
It's even easier than that. They shouldn't be using Windows. They should be using Chromebook. And don't use Android !!
After playing Fri-Sat with these Chromebooks, I agree. They're amazing really. Also, examining the outbound connections from them I am pretty impressed at the 'lack' of background activity assuming you UNCHECK 'Help Google Improve this OS'.. That's right - a single checkbox fixes ChromeOS right up for you. Not batch files, privacy tools, host files, DNS filtration, registry edits and group policies to 'sort of' fix Windows 10 privacy issues. Yup. I am sold. Now everyone I know is getting told to get a Chrome Book when they ask me what to buy. ChromeOS has come a LONG way.

I actually owe it to you. I had totally discounted ChromeOS as a 'useless OS wannabe'.. I kept hearing you bring it up and figured I would give it a go. The increasing drones of 'ChromeOS' coming from security professionals can't be ignored.
 
5

509322

After playing Fri-Sat with these Chromebooks, I agree. They're amazing really. Also, examining the outbound connections from them I am pretty impressed at the 'lack' of background activity assuming you UNCHECK 'Help Google Improve this OS'.. That's right - a single checkbox fixes ChromeOS right up for you. Not batch files, privacy tools, host files, DNS filtration, registry edits and group policies to 'sort of' fix Windows 10 privacy issues. Yup. I am sold. Now everyone I know is getting told to get a Chrome Book when they ask me what to buy. ChromeOS has come a LONG way.

I actually owe it to you. I had totally discounted ChromeOS as a 'useless OS wannabe'.. I kept hearing you bring it up and figured I would give it a go. The increasing drones of 'ChromeOS' coming from security professionals can't be ignored.
A lot of people on the forums got this Google privacy hang-up going. Compare full-telemetry Chrome OS and Windows 10 and tell me who is more guilty.
 

soccer97

Level 11
Enabling the flag in Google Chrome took 3 minutes. I installed the patch for Windows yesterday. I can confirm that there is a correlation between the date installed and increased boot time and CPU use. Correlation does not equal causation.

Does anyone else wonder if the impact will cause a major downstream effect (Enterprises, businesses, datacenters, etc affected by security and/or performance degradation, results in increased costs to businesses, which pass it on to consumers). This would includes unanticipated delays in "Production Environments" due to mitigation necessary for compliance and prevention?

Some level of risk is always present, it is a matter of mitigating/managing what you can, with the resources available while balancing the trade-offs that those mitigations may or may not have on operations and/or for us consumers, general computer use

That's just IMHO.
 
5

509322

Let's all have a moment of levity in this moment of impending doom.

I don't have to worry about security anymore. By chance I found the ultimate IT security solution device tonight:

WP_20180107_00_18_18_Pro.jpg

WP_20180107_00_23_43_Pro.jpg

WP_20180107_00_28_52_Pro.jpg

Theortetically the only thing that can unravel my plan is if someone is manufacturing or shipping Kryptonite in their hardware, firmware, software or the as yet unknown ultimate deadly Kryptonite exploit is set upon us in the wild. Someone will sink my surefire plan - somehow. I am not seeing it, but they will. Probably some twelve year old working alone in their parents' basement.
 
Last edited by a moderator:

shmu26

Level 84
Verified
Trusted
Content Creator
For all you non-Americans puzzled by the weird humor,
the big "S" is the insignia of Superman, who is perhaps the most famous character from American comic books (and later, movies).
Cryptonite is the only substance in the universe that can counteract Superman's superhuman powers.