back to article More patches for SolarWinds Orion after researchers find flaw allowing low-priv users to execute code, among others

As if that supply chain attack wasn't bad enough, SolarWinds has had to patch its Orion software again after eagle-eyed researchers discovered fresh vulnerabilities – including one that can be exploited to achieve remote code execution. Ziv Mador, security research veep at Trustwave, the firm that found the flaws, told The …

  1. redpawn

    Don't go around the fence!

    Don't go through the hole in the fence! You are entering a secure area.

    Your conscience will bother you. You have been warned!

  2. Nate Amsden Silver badge

    ServU FTP

    Wow that brings back memories. I knew a guy(online only never met) back in the late 90s who distributed a "hacked" ServU which was popular for a certain file sharing people back then. People used it because it didn't need a license key, but he also inserted his own backdoor account(s).

  3. amanfromMars 1 Silver badge

    A Tasty Starter for Main Courses to be Followed After by IntelAIgently Designed Desserts

    ..... Absolutely Heavenly Delights Full to Overflowing with Devilish Temptations

    It is best, and one would do extremely well to realise, that such is the advanced and forever advancing and improving and constantly changing nature of that beastly daemon/anonymous invisibility which is of particular concern and/or peculiar interest to all here now, and those others who be batting and battling so valiantly in this instance on SolarWinds' Orion network management products' behalf, one can fully expect, whenever such trialling instances are recognised as being simply effective and especially successful, much more of the same impacting and extracting all manner of worth from many other select, highly valued targets .... with the deeper scope and vaster scale of the operation enhanced and expanded and elevated by sending meticulously crafted rather than maliciously crafted messages to any number of such queues.

    Microsoft and Microsoft Message Queue technology is not so much a critical vulnerability to exploit and export, although that is not to say that others might not see it that way and beg to differ and try to prove their point of view valid, it is much more a convenient feature for SMARTR Applicable Program Use.

    And if one can believe all of the reports on such developments as we read about here, one has to marvel at the tenacious ingenuity of those practically unknown Russians and Chinese routinely blamed for such hacks without ever a shred of evidence being presented for validation. How do they do that so well ‽ .

  4. Anonymous Coward
    Anonymous Coward

    How do you get bad things into someone else's software?

    Outline of a purely fictitious story.....something Lee Childs might write in the next little while....purely fictitious!

    The main protagonists are bad actors working in Ruritania. Here's the plot outline. Actions #1 through #6 are Ruritanian:

    1. Read up on "agile", "scrum", "devops". Lots of boosters out there!

    2. Read up on software companies who are using "agile", "scrum" or "devops".

    3. Do some probing on the systems used by said software companies. If you find that the development environment is "accessible", move to step #4.

    4. Insert bad stuff into the "agile", "scrum" and "devops" process one will notice!

    5. Wait six months for the bad stuff to hit the streets.

    6. Bingo!!

    7. Jack Reacher gets the job of cleaning up Ruritania!

  5. EnviableOne Silver badge

    Assimilate and die

    the more peoples stuff you hamstring and bolt onto your suite, the more holes you will introduce.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like