Three-year-old Apache Flink flaw under active attack An improper access control bug in Apache Flink that was fixed in January 2021 has been added to the US government's Known Exploited Vulnerabilities Catalog, meaning criminals are right now abusing the flaw in the wild to compromise targets. Plus, its inclusion in the catalog means federal agencies need to either close the hole …
No CIO/CTO takes "patching" seriously. Not even when the company is spattered all over the 11 o'clock news. Or not even when dragged into a US House committee hearing. If UnitedHealth CEO can calmly admit paying hackers (instead of employing a competent IT security team) in front of the US House committee hearing, then, f**ck, anyone can do it too!
In other (maybe-related news): Nissan A/NZ's outsourced cyber incident call centre breached
Nissan Oceania has revealed the call centre it set up to handle customer inquiries after a cyber incident late last year has itself been breached.
Managers are divided between those who refuse to believe a bug exists even when it was discovered years earlier by a member of their own team - that the manager has spoken to but insists that he knows better than technical staff
Or the kind that believes bug reports such as red hat rpc still contains a flaw fixed in 1998 just because the version number shown over the network is still 1.2 .
Neither one is curious enough to ask about the truth or be any more satisfied with better conditions than you get by doing nothing. This ensures that nothing will be done except useless things because something must be done
These are real examples from work and people with names omitted.
Which proves my point. A large portion of Managers are complete idiots and it should be criminally irresponsible to allow people like that to be in charge of anything.
We have standards in the medical industry, only surgeons can perform surgeries, nobody would allow a "manager" such a responsibility, and yet we allow managers here to make decisions that potentially can be a disaster.
"Doctors and nurses are the worse patients," the saying goes. But doctors are the worse cry-babies. A sookie lala of the highest order.
I raised a change control to upgrade a piece of kit in a hospital environment because of a security vulnerability that is "actively aggressively exploited in the wild" and manufacture has given a CVSS score of 9.9.
The change was rejected to Change Control Board which the CTO was involved. Show proof, he said, that this so-called "vulnerability" is being exploited in Australia.
The next day the change was approved and it was deemed "do it NOW!"
" ... simply fixing flaws in newer versions of software, open- and closed-source alike, does no good if users don't upgrade or update"
From a user perspective, there are often apparently sufficient reasons not to upgrade to a new version if everything seems to be working, whereas applying a patch is a recognised (if annoying) element of operational infosec. The snag is that a new version is positive promo for the vendor, whereas a patch has zero or negative PR value.
One serious issue is software companies only fixing bugs with new releases that also have major functional changes, or bug-fixes which break certain legacy file/data access because fixing that was too much trouble, and they have new shiny better locked-in versions to sell.
What is the masterplan to be whenever screaming into the wind government agencies and bug hunters start to realise some/more than just a few/many known exploitable holes are practically unpatchable ....... apart from more pathetic screaming about an expanding catalogue of novel things they know virtually nothing about but/and which are impacting upon their existence and remotely, both anonymously and autonomously, fundamentally altering the course and changing the existential nature of future reality to one with extraordinary forces and extraterrestrial sources in virtual command and almighty control of universal events for mass multi media programming and AI presentation ‽
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
