D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] github meltdown + spectre patch status

 


> On 10 Jan 2018, at 19:09, mr meowski <mr.meowski@xxxxxxxx> wrote:
> 
> https://github.com/hannob/meltdownspectre-patches

Thanks, somehow I suspect itâs in my twitter feed somewhere, but good to pull out.

How are you handling it?

I did a short briefing at work today. Where I gave a little background so people can 
understand more if they need/want to.

But in practice since we track the application of Security updates for all OSes, and 
Browsers, I donât see I need to do more than business as usual patching for this 
issue, and a good education opportunity not wasted. The Windows patching and AV 
update looked messy but thatâs not my problem fortunately.

Iâm not even convinced these are the worst CPU bugs from Google Project Zero this 
year, there is a buffer overflow in some TPM code that looked scarier if you have 
affected hardware and use TPM (which admittedly is a lot less likely than âhave a 
modern CPUâ but if your TPM is vulnerable and you are targeted by the kind of skill 
set to exploit this....). 

Also I note GPZ found a bunch of other issues in eBPF presumably having poked around 
and found ways to run arbitrary speculative execution in kernel space they knew a 
target rich environment when they saw it. eBPF is off in most distros I believe, 
probably just as well. But does anyone knowingly use it?

-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq