Slashdot

spikedLemur writes "Security guru Mark Dowd of TAoSSA has figured out how to turn a class of DoS bugs into a code execution attack. He wrote a detailed PDF explaining how he used a NULL pointer dereference in Flash to create a 100% reliable cross-browser/platform exploit. The guys at Matasano have already discussed the technique in two detailed writeups, which I highly recommend for the casual reader. Since the root problem is an ignored malloc failure (a very common mistake) we can expect to see this bug class popping up in lot of software in the near future. You might also want to make sure your Flash installation has the most current patch, since almost everybody is vulnerable to this one."
http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/

spikedLemur writes "It looks like Microsoft is planning to make standards compliant mode the default for IE8. This is a major departure from their previous position, which required the non-standard X-UA-Compatible header to make IE8 support modern web standards. Is it possible that all the negative feedback caused them to see the light?"
http://blogs.msdn.com/ie/archive/2008/03/03/microsoft-s-interoperability-principles-and-ie8.aspx

Vladimir Vukicevic of the Firefox team stumbled on some questionable practices from Apple while trying to improve the performance of Firefox. Apparently, Apple is using some undocumented APIs that give Safari a 500% performance advantage over other browsers. Of course, "undocumented" means that non-Apple developers have to try and reverse-engineer these interfaces to get the same level of performance. You really have to wonder what Apple is thinking, considering the kind of retaliation Microsoft has gotten for similar practices. (Anyone remember "DOS ain't done until Lotus won't run"?)
http://blog.vlad1.com/2008/02/28/finding-the-os-x-turbo-button/