Nitesh Dhanjani released information about some of his newest research on the Safari web browser this morning, and interestingly enough, Apple has decided NOT to fix some of the issues he presented.Dhanjani reported three issues, as follows below from his blog:1.
Staying on top of the latest in software/hardware security research, vulnerabilities, threats and computer attacks.
Violet Blue is the author of The Smart Girl's Guide to Privacy. She contributes to ZDNet, CNET, CBS News, and SF Appeal.
Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years
With the Quickness: HD Moore sets new land speed record with exploitation of Debian/Ubuntu OpenSSL flaw
So, for those who haven't heard, a Debian packager modified the source used for OpenSSL on Debian based systems (Debian and the whole of the Ubuntu family) to remove the seed used for PRNG (Pseudo Random Number Generator) used when creating SSL keys. Well, HD Moore set a new record for speed to exploit with the release of what he calls Debian-OpenSSL Toys.
I've been busy all day and just haven't been able to get to it until now, but Aviv Raff is a seriously bad man. I follow his blog religiously as he always has some cool stuff going on and a lot of it tends to be thought provoking for other areas of attack.
According to good friend Robert McMillan of IDG News, Sebastian Muniz, a researcher with Core Security Technologies, has developed malicious rootkit software for Cisco's routers, which he will release on May 22 at the EuSecWest conference in London. This will mark the first time (at least publicly) that someone has released a rootkit written for the Cisco IOS.
Thought I'd explore some of these bugs a bit more... first, Tipping Point released one of the vulnerabilities that Larry reported earlier, listed as a stack overflow issue in Microsoft Office Jet Database Engine.
Microsoft on Tuesday delivered four critical patches for vulnerabilities Office and Windows XP. There were six patches delivered.
In my most recent discussion on McAfee, I posted a talkback to Russ McRee stating, tongue in cheek mind you, that it'd be interesting to see an XSS or SQL Injection on McAfee's site, see if they are indeed "McAfee Secure". Well, I guess you get what you ask for...
Make botnets, not war? In April, last year, I asked the question "Why establish an offensive cyber warfare doctrine when you can simple install a type of Lycos Spam Fighting screensaver on every military and government computer and have it periodically update its hit lists?
Not to beat a dead horse, that's already been beaten to death time and time again, but...Update 05/12/08: Russ McRee has actually just posted a story about "Why PCI DSS is Doomed".
As assessment of a recently discovered in the wild email harvesting service, released for the purpose of harvesting names, email addresses, and other personal information from major career web sites, to be later on used for targeted spamming and malware campaigns.