Comment Re:The push for DNSSec (Score 1) 281
bad ass
Submission + - Vulnerabilities Treated as Defects? (zdnet.com)
SecureThroughObscure writes: "ZDNet Zero-Day blogger Nate McFeters has asked the question, "Should vulnerabilities be treated as defects?". McFeters claims that if vulnerabilities were treated as product defects, companies would have an effective way of forcing developers and business units to focus on security issue. McFeters suggests providing bonuses for good developers, and taking away from bonuses for those that can't keep up.
It's an interesting approach that if used, might force companies to take a stronger stance on security related issues.
SecureThroughObscure"
It's an interesting approach that if used, might force companies to take a stronger stance on security related issues.
SecureThroughObscure"
Submission + - Safari "Carpet Bomb" Attack Still a Risk (zdnet.com)
SecureThroughObscure writes: "Just a short time after Apple's recent acknowledgement of and patch of the Safari Carpet Bomb "blended" IE flaw, blogger Nate McFeters of ZDNet's Zero-Day blog has pointed to research by Billy Rios of Microsoft that shows that the attack is still useful in a "blended" attack, this time with Firefox 2/3. Rios claimed that he is able to use the Safari Carpet Bomb attack, despite the recent patch, to steal arbitrary files from victims who also have Firefox 2/3 installed.
McFeters pointed out that Apple, which took some heat for not originally patching the issue, actually did a good job of addressing the issue, as it was not originally understood that code execution was possible (the details came out later). Rios seemed to echo a positive response by Apple in addressing the original issue, despite the media's portrayal.
Details of Rios's specific attack vector have been withheld until Apple has had time to patch or respond to this issue, but both researchers (McFeters and Rios) commented on the new attack threat that these blended types of attacks provide, and questioned who's responsibility it is to test for and fix these issues.
SecureThroughObscure"
McFeters pointed out that Apple, which took some heat for not originally patching the issue, actually did a good job of addressing the issue, as it was not originally understood that code execution was possible (the details came out later). Rios seemed to echo a positive response by Apple in addressing the original issue, despite the media's portrayal.
Details of Rios's specific attack vector have been withheld until Apple has had time to patch or respond to this issue, but both researchers (McFeters and Rios) commented on the new attack threat that these blended types of attacks provide, and questioned who's responsibility it is to test for and fix these issues.
SecureThroughObscure"
Submission + - Google Health app draws fire for privacy concerns (ckers.org)
SecureThroughObscure writes: "Noted security researcher Robert "RSnake" Hansen posted an article covering numerous concerns with Google's new Google Health application which aims to integrate user's medical records online. RSnake mentions that Google has found a loophole allowing them to provide this service without having to follow HIPPA regulations, which, combined with Google's track record of having numerous flaws leading to private information disclosure draws serious concern.
Security researcher and blogger Nate McFeters of ZDNet's Zero-Day Security Blog also commented on the subject, mentioning several past vulnerabilities (here (Ownerhsip of content issue), here (Ownership of content issue), here (Google Docs theft), here (Google Docs theft), here (Google Docs theft), here (Cross-domain hole), here (Google XSS), and here (Google Picasa protocol handler issue leads to theft of user images)) that he and fellow researcher Billy Rios disclosed to Google, including the ability to steal GMail contact list information, cross-site scripting bugs, andthe ability to steal Google Docs.
McFeters says it's likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. McFeters also put forth a challenge in his article suggesting that Billy Rios will have hacked Google Health within three weeks.
Both McFeters and Hansen tend to agree that Google's vulnerability disclosure/notification is non-existent and really needs to be. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obivous reason of trying to hide the fact that user's data could have been stolen. It's really quite onerous that Google finds it reasonable to create an application like Google Health when they are, as RSnake says in his blog post, the single worst in privacy of all the top Internet sites.
Feel like having your medical records exposed today?
SecureThroughObscure"
Security researcher and blogger Nate McFeters of ZDNet's Zero-Day Security Blog also commented on the subject, mentioning several past vulnerabilities (here (Ownerhsip of content issue), here (Ownership of content issue), here (Google Docs theft), here (Google Docs theft), here (Google Docs theft), here (Cross-domain hole), here (Google XSS), and here (Google Picasa protocol handler issue leads to theft of user images)) that he and fellow researcher Billy Rios disclosed to Google, including the ability to steal GMail contact list information, cross-site scripting bugs, andthe ability to steal Google Docs.
McFeters says it's likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. McFeters also put forth a challenge in his article suggesting that Billy Rios will have hacked Google Health within three weeks.
Both McFeters and Hansen tend to agree that Google's vulnerability disclosure/notification is non-existent and really needs to be. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obivous reason of trying to hide the fact that user's data could have been stolen. It's really quite onerous that Google finds it reasonable to create an application like Google Health when they are, as RSnake says in his blog post, the single worst in privacy of all the top Internet sites.
Feel like having your medical records exposed today?
SecureThroughObscure"
Submission + - IE 7.0/8.0b Code Execution 0-day Released! (zdnet.com)
SecureThroughObscure writes: "Security blogger and researcher Nate McFeters, of ZDNet and Ernst & Young's Advanced Security Center, blogged about an 0-day exploit released by noted security researcher Aviv Raff today. The flaw is a cross-zone scripting flaw, that takes advantage of the fact that printing HTML web pages occurs in the Local Machine Zone in IE rather than in the Internet Zone.
McFeters states on his blog that cross-zone scripting issues are very serious and that they will be a portion of the presentation that he, Rob Carter (also of Ernst & Young's Advanced Security Center, John Heasman (Director of Research at NGSSoftware), and Billy Rios (from Microsoft) will be giving at Black Hat Vegas this year. McFeters says:
"One of the most concerning things about cross-site scripting is when you can execute your script in a higher privileged zone, as Aviv has here. In some cases, you can actually run arbitrary commands on the operating system, read/write files, and definitely make all the cross-domain requests (with cookies) that you'd like. I'll save this for a different blog posting, because that was always the plan, but if you are interested in seeing more on this, Rob Carter has been hitting this really hard over at his blog."
As McFeters stated, Carter has done a lot of research into this area, pointing out very serious flaws in the web management consoles of Azureus and uTorrent, as well as in the Eclipse platform, which is used to build several other tools.
Aviv Raff's blog also summarizes the technical details of this cross-zone flaw:
Summary
Internet Explorer is prone to a Cross-Zone Scripting vulnerability in its "Print Table of Links" feature. This feature allows users to add to a printed web page an appendix which contains a table of all the links in that webpage.
An attacker can easily add a specially crafted link to a webpage (e.g. at his own website, comments in blogs, social networks, Wikipedia, etc.), so whenever a user will print this webpage with this feature enabled, the attacker will be able to run arbitrary code on the user's machine (i.e. in order to take control over the machine).
Technical details
Whenever a user prints a page, Internet Explorer uses a local resource script which generates an new HTML to be printed. This HTML consists of the following elements: Header, webpage body, Footer, and if enabled, also the table of links in the webpage.
While the script takes only the text within the link's inner data, it does not validate the URL of links, and add it to the HTML as it is. This allows to inject a script that will be executed when the new HTML will be generated.
As I said in a previous post, most of the local resources in Internet Explorer are now running in Internet Zone. Unfortunately, the printing local resource script is running in Local Machine Zone, which means that any injected script can execute arbitrary code on the user's machine.
These are a very interesting class of bug, pretty scary stuff, especially since they appear to work in IE 8 as well.
SecureThroughObscure"
McFeters states on his blog that cross-zone scripting issues are very serious and that they will be a portion of the presentation that he, Rob Carter (also of Ernst & Young's Advanced Security Center, John Heasman (Director of Research at NGSSoftware), and Billy Rios (from Microsoft) will be giving at Black Hat Vegas this year. McFeters says:
"One of the most concerning things about cross-site scripting is when you can execute your script in a higher privileged zone, as Aviv has here. In some cases, you can actually run arbitrary commands on the operating system, read/write files, and definitely make all the cross-domain requests (with cookies) that you'd like. I'll save this for a different blog posting, because that was always the plan, but if you are interested in seeing more on this, Rob Carter has been hitting this really hard over at his blog."
As McFeters stated, Carter has done a lot of research into this area, pointing out very serious flaws in the web management consoles of Azureus and uTorrent, as well as in the Eclipse platform, which is used to build several other tools.
Aviv Raff's blog also summarizes the technical details of this cross-zone flaw:
Summary
Internet Explorer is prone to a Cross-Zone Scripting vulnerability in its "Print Table of Links" feature. This feature allows users to add to a printed web page an appendix which contains a table of all the links in that webpage.
An attacker can easily add a specially crafted link to a webpage (e.g. at his own website, comments in blogs, social networks, Wikipedia, etc.), so whenever a user will print this webpage with this feature enabled, the attacker will be able to run arbitrary code on the user's machine (i.e. in order to take control over the machine).
Technical details
Whenever a user prints a page, Internet Explorer uses a local resource script which generates an new HTML to be printed. This HTML consists of the following elements: Header, webpage body, Footer, and if enabled, also the table of links in the webpage.
While the script takes only the text within the link's inner data, it does not validate the URL of links, and add it to the HTML as it is. This allows to inject a script that will be executed when the new HTML will be generated.
As I said in a previous post, most of the local resources in Internet Explorer are now running in Internet Zone. Unfortunately, the printing local resource script is running in Local Machine Zone, which means that any injected script can execute arbitrary code on the user's machine.
These are a very interesting class of bug, pretty scary stuff, especially since they appear to work in IE 8 as well.
SecureThroughObscure"
Submission + - Exclusive: Blogger Covers Microsoft Blue Hat v7 (zdnet.com)
SecureThroughObscure writes: ZDNet Zero-Day security blogger Nate McFeters got an exclusive look at the Microsoft Blue Hat conference.
This is an invite-only conference that few media get to attend, but apparently McFeters was brought in with co-worker Rob Carter to talk about some vulnerabilities they had discovered with a few product security teams in attendence, and was also asked to do a guest blog posting about the conference at the Microsoft Blue Hat blog. McFeters also included several pictures of the conference and after conference events.
Pretty interesting look into a conference that few get to see.
This is an invite-only conference that few media get to attend, but apparently McFeters was brought in with co-worker Rob Carter to talk about some vulnerabilities they had discovered with a few product security teams in attendence, and was also asked to do a guest blog posting about the conference at the Microsoft Blue Hat blog. McFeters also included several pictures of the conference and after conference events.
Pretty interesting look into a conference that few get to see.
Submission + - Apple/AT&T accidentally provides free Wi-Fi to (zdnet.com)
SecureThroughObscure writes: "Blogger Nate McFeters from the ZDNet Zero-Day blog posted a story today about a flaw in the implementation of free wireless access provided by Apple and AT&T at Starbucks and other locations for iPhone users, which will allow any person to gain free Wi-Fi from their laptop.
Apparently all that is required is a spoofed user agent and a valid iPhone phone number, which are trivial to obtain.
This is a pretty interesting flaw in that all that secures the access is the user agent sent by the browser. You'd think people would know better.
-SecureThroughObscure"
Slashdot Top Deals
Not only is UNIX dead, it's starting to smell really bad. -- Rob Pike
