139 pieces of (seemingly nonfunctional) malware that exploit Spectre and Meltdown are now circulating in the wild

Originally published at: https://boingboing.net/2018/02/04/active-probing.html



Thank you for mentioning that these are basically proofs-of-concept, e.g., not malware making use of fully weaponized exploits. I think a lot of the media has gotten confused or just doesn’t care about the part that the threat here is still more theoretical than practical.

That could, of course, change within the future, but as things stand right now, malware doing anything useful with the Spectre or Meltdown vulnerabilities does not exist.


It was really nice of that researcher to release proof-of-concept code.


Malware stories get the same treatment as infectious disease stories, i.e., staggeringly irresponsible panic-mongering.

I bet when history comes to an end and the scores are tallied, Meltdown itself will answer for less actual harm than the all the “antivirus / clean your computer” malware that confused folks will install in response.


And I bloody well expect everyone here to panic as well! On this BBS, @doctorow has a reputation on the line!

SCNR, Cory…

Yes. Spectre and Meltdown are pretty useless for general attacks. You have to have a pretty good idea of who you’re going after and what you’re looking for to get anything worthwhile. Basically be alert and don’t get spearfished.


Okay guys, relax, we just have to stop using browsers. Problem solved!

I suspect, like with a lot of world problems, there are magnitudes more good actors who will use this info for locking down the threat than there are bad actors who will be trying to exploit it. Better out than in, I say.


Ok, so… there are currently no known exploits circulating in the wild and safe browsing practices (including noscript) still apply? Got it.


I think it largely depends upon the reporter, and also where they write and what sort of audience they have. If you go to Security Affairs or Security Week you’re going to get a much more nuanced view of security that the general computing press doesn’t always pick up on. Of course, there are general IT coverage sites like Ars Technica, The Register and ZDNet’s Zero Day blog, all of which I think do a good job, too. So maybe, what it also depends upon the publisher and their priorities.

Sometimes, when you’ve got a fast moving story, there’s a lot of rampant speculation and, well, even cyber ambulance chasing, with everyone looking for some angle. But a good reporter may accept that the story here is is that there isn’t a story, and that becomes their angle. That might not be something that every reporter is willing to do though, nor every security researcher.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.