![solarwinds software solarwinds software](https://www.brighttalk.com/communication/461267/preview_1608334246.png)
This security hole, CVE-2020-10148, is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations.
Solarwinds software install#
Why? Because yet another SolarWinds' Orion vulnerability was being used to install the Supernova and CosmicGale malware. If they can't, they must take these systems offline.
Solarwinds software update#
Over the Christmas season holidays, the CISA said that all US government agencies must update to Orion's 2020.2.1HF2 version by the end of the year. While President Donald Trump has completely ignored the actions of Russian President Vladimir Putin's government, America's Cybersecurity Infrastructure and Security Agency (CISA) said the hacks posed a "grave risk" to US governments at all levels. The almost weekly revelations of new Microsoft security holes and mishaps doesn't make me feel warm and fuzzy about the security of its software. Even with the best will in the world, I doubt that Microsoft has really undertaken the hard security code review needed to lock down its proprietary code. While it can help - no, really it can if used intelligently - that's not the case with proprietary code. Dealing with reality is something else.įor decades, one of proprietary software's stupid assumptions is that " security by obscurity" works.
![solarwinds software solarwinds software](https://gdm-catalog-fmapi-prod.imgix.net/ProductScreenshot/9d827c20-1c28-4c46-84f0-86044b1c41ae.png)
So viewing source code isn't tied to elevation of risk." But, making that assumption is one thing. True, Microsoft's "threat models assume that attackers have knowledge of source code. When hackers, not Microsoft developers, have access to proprietary code, the door's open for attacks. But, inner source isn't the same thing as open source. That's because Microsoft has "an inner-source approach – the use of open-source software development best practices and an open-source-like culture – to make source code viewable within Microsoft." It's nice that Microsoft is admitting that the open-source approach is the right one for security - something I and other open-source advocates have been saying for decades. In a twist, which would be hilarious if it weren't so serious, Microsoft claims it's no big deal. The Russians may even have the crown-jewels of Microsoft software stack: Windows and Office. The data within these networks, user IDs, passwords, financial records, source code, you name it, can be presumed now to be in the hands of Russian intelligence agents. Russia, we now know, used SolarWinds' hacked program to infiltrate at least 18,000 government and private networks.