cspan wrote: ↑
Tue Jun 25, 2019 7:22 pm
How do you know in advance
If you're going to a gaming site, assume it's untrustworthy. If you go to any sites offering up porn, assume it's untrustworthy.
Don't click on any links that purport to be connecting you to some seemingly valid site without checking the actual target. Including links in email. If you get mail that seems suspicious (not expected or from someone you know, but still unexpected or otherwise suspect). I check the email source for suspicious email. Not all email readers support this, but mine does. If someone sends an encoded message that I can't read in the source display, I just delete it. When I sign up for email, I request plain text whenever possible.
Disable macro execution in office type docs (docm, xlsm, etc). I tried renaming a spreadsheet with macros to .xlsx and Excel complained.
Don't click on links in email without looking at the source to see if they're being spoofed.
But I don't know if this is the case. And it does seem a bit incongruous to publicly boast of invulnerability of your product line to an otherwise ubiquitous "catastrophic" security issue, and then 18 months later release a new version of your product that has given away that advantage.
Workarounds are in the works. Product that is already shipped can be difficult to patch unless the manufacturer has a way to update microcode or OS vendors put up walls between applications. Some browsers are putting up walls (opening each tab in a separate virtual machine), so a malicious process can't snoop on memory used by other processes.
If do things intelligently, you can minimize your risk. But too many people fall for social engineering exploits and there's no protection against being dumb.