back to article Russians invade Microsoft exec mail while China jabs at VMware vCenter Server

A VMware security vulnerability has been exploited by Chinese cyberspies since late 2021, according to Mandiant, in what has been a busy week for nation-state espionage news. On Friday VMware confirmed CVE-2023-34048, a critical out-of-bounds write flaw in vCenter Server, was under active exploitation. The bug, which received …

  1. sitta_europea Silver badge

    You know how complex is all this bloatware.

    So you know the vulnerabilties are in there.

    Some of them are going to be found soon.

    Some of them have already been found by the Bad Guys who, it seems, have a very much better record at finding them than do the security firms.

    So don't leave your bloatware undefended. If you do, it WILL be compromised.

    1. This post has been deleted by its author

    2. Doctor Syntax Silver badge

      "Some of them have already been found by the Bad Guys who, it seems, have a very much better record at finding them than do the security firms."

      If the good guys get prosecuted and fined for finging and reporting them, then this situation is inevitable.

    3. Zolko Silver badge
      Boffin

      So don't leave your bloatware undefended

      I don't understand: why have bloatware at all ? Isn't that simply lazyness ? If so, nothing can save lazy people, because by definition if they're too lazy to get to the bottom of the pit to find out what they really need, then they're going to be too lazy to defend the unneeded bloat that they didn't take time to get rid of.

  2. Anonymous Coward
    Anonymous Coward

    If you build it

    The Chinese will come.

  3. t245t Silver badge
    Terminator

    Whatever happened to C2 certification?

    Why don't the NSA do test on all such connected devices and provide a modern equivilent of C2. Unless they have a war-chest of such bugs and don't release them. Whatever happened to C2* certification. A device is granted C2 cert status. but only a particular combination of hardware and software. Such certs would be worthless with the modern innovation of click-and-install some app.

    * elREg Dec 1999: Microsoft announced this week that it has received Orange Book C2 certification for NT 4.0

    1. MonkeyJuice

      Re: Whatever happened to C2 certification?

      > Unless they have a war-chest of such bugs and don't release them.

      That has been demonstrably the case, looking at Equation Group leaks. Some of these vulnerabilities required entire architectural rewrites or an inordinate amount of work patching EEPROMs, and disclosing them was _not_ in the public interest. Flinging weaponized exploits at hostile nation states perfectly capable of reverse engineering these however, does not help the situation. You wouldn't pirate a 0day, right?

      I'd like to think they have learned, but I am not holding my breath.

  4. Omnipresent Bronze badge

    More than likely

    Used the AI to assist them do it.

  5. Anonymous Coward
    Anonymous Coward

    Easiness of domain registration

    Scam and malware domains are too easy to register. This is probably the highest impact issue to resolve to make the web more secure.

    Normal businesses would not register domains every day, or even years. Making domain registration slow and requiring owner verification would considerably reduce the volume of cyber-crime.

  6. t245t Silver badge
    Terminator

    Russians invade Microsoft exec mail

    One would have thought they would be using a security key and 2-step verification, especially the cybersecurity employees.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like