Here we go again! The weekend is barely here and we’re already being bombarded with sensationalist headlines on Forums, Blogs and, of course, YouTube videos chock-full of ads whose only goal is to scare people into clicking on the link to get to the story as fast as they can. This weekend and, most likely, all of next week, you’ll be met online with headlines calling you to action with the most alarmist choice of words: DO IT NOW! (In all capitals for an added effect of urgency.) Protect yourself now! (From what? Where is the danger?) Calls to action to shut down your NAS, unplug your Internet cable, lock yourself inside your home and not open the door to anyone under any circumstances will pop-up one by one. While the choice of words will differ, the core message will nonetheless be the same – sensationalist, raising alarm, at the expense of accuracy and for the sake of herding people to ‘the story’.
As you well know, about every 6 months there is a contest called PWN2OWN in which computer geeks set out to find flaws in a given system or device. When a flaw is discovered, they get a cash prize – the organizing company pays the person for their positive contribution to helping improve their system/device security. The company will immediately release a patch available to all its users. The method to exploit is not public and the patch is made available almost immediately. So, a nonexistent danger from the start. Synology has participated in PWN2OWN events prior to 2024, and will surely continue to in 2025 as well, not to mention promptly addressed system flaws that were discovered by releasing a patch immediately. Which is the whole purpose of the event to begin with.
Since you have been asking me what I think about this piece of news regarding the Synology Photos vulnerability discovered at PWN2OWN 2024, I decided to give you my honest opinion. First of all, and most important, the issue has already been fixed – if you are using Synology Photos, know that Synology already released a patch 8 days ago, on October 25, 2024. You can download the patch from the links below. Secondly, it’s important to know that the exploit method is not public and it will never be made public. So if you will be coming across sensationalist headlines in the next few days or week, remember that they are addressing an issue that has already been dealt with.
The same vulnerability has already been fixed for Synology Photos on BeeStation as well.
As always, there is a lesson to be learned from things like this. The main take of this is that one of the best ways to protect yourself is to always have a patched system so keep up to date with your updates. Just as important, make sure you have backups and remember the 3-2-1 backup rule. The 3-2-1 backup rule is a simple, effective strategy for keeping your data safe even in a critical zero-days vulnerability. A 3-2-1 backup strategy recommends that you keep three copies of your data on two different media, with one copy off-site.
This post was updated on Thursday / November 7th, 2024 at 5:29 PM