Last 50 'Vulns' Tagged Posts

Poll: How do you rank the importance of a vulnerability?

I've added a new poll to the WASC linkedin group that a few of you may be interested in. Specifically asking how people rank the importance of vulnerabilities. Poll Link http://www.linkedin.com/groups/How-do-you-rank-importance-83336.S.202840840

Oracle website vulnerable to SQL Injection

Someone has published a SQL Injection in labs.oracle.com at http://www.thehackernews.com/2011/07/oracle-website-vulnerable-to-sql.html . That is all.

Results of internet SSL usage published by SSL Labs

Ivan Ristic (of modsecurity fame) has published the results of an evaluation against over 900,000 websites supporting SSL. The goal of this evaluation was to see how people really use/misuse ssl in the wild, as well as report on the usage of browser protections such as the Secure cookie flag, and Strict-Transport-Security....

Another use of Clickjacking, Cookiejacking!

Rosario Valotta has published an interesting attack against IE that takes advantage of clickjacking. In a nutshell it combines origin flaws within IE with clickjacking to trick a user into copying/pasting their own cookies from any site! Demonstration below The technical details can be found at https://sites.google.com/site/tentacoloviola/cookiejacking and his slides at https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDoxMWJlZTI5ZjVhYjdiODQx

NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad

NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals...

How not to publish SCADA security advisories

"Luigi Auriemma" has posted an interesting series of SCADA vulnerabilities to the bugtraq security list this morning. From his email "The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment. In case someone doesn't...

Announcing WASC Web Hacking Incident Database (WHID) Mail-list

Ryan Barnett (Leader of the WASC Web Hacking Incidents Database Project) has announced a new mailing list where users can subscribe to hear about the latest hacking incidents. From his email to The Web Security Mailing List "Greetings everyone, I wanted to let everyone know that we have setup a mail-list for...

Tracking and understanding security related defects: Useful data points for shaping your SDLC program

In addition to CGISecurity, I also run a website called QASEC.com where I post SDLC related content. I've just published a lightweight article discussing tips and tricks for tracking software level vulnerabilities in larger organizations. Abstract: "If you work in infosec for a large organization it can be difficult to easily track...

Improving ASP.NET Security with Visual Studio 2010 Code Analysis

Sacha Faust has published a great article on some of the security checking functionality in Visual Studio. From the article "Anyone doing ASP.NET development probably admits, openly or not, to introducing or stumbling upon a security issue at some point during their career. Developers are often pressured to deliver code as quickly...

Phrack #67 is out for 25th anniversary!

To celebrate 25 years the phrack team has published issue #67. Introduction The Phrack Staff Phrack Prophile on Punk The Phrack Staff Phrack World News EL ZILCHO Loopback (is back) The Phrack Staff How to make it in Prison TAp Kernel instrumentation using kprobes ElfMaster ProFTPD with mod_sql pre-authentication, remote root FelineMenace...

Interesting IE leak via window.onerror

Chris Evans has posted an interesting bug in IE involving using JavaScript's window.onerror to leak cross domain data. From his blog "The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror...

Why publishing exploit code is *generally* a bad idea if you're paid to protect

Update2: Further proof that people are abusing this in a wide scale and likely wouldn't have had the exploit code not been released. Update: I've clarified a few points and added a few others. Recently Tavis Ormandy (a google employee) discovered a security issue in windows, and days after notifying Microsoft published...

A reminder that CSRF affects more than websites

Maksymilian Arciemowicz has published an advisory outlining how one can perform CSRF attacks against FTP services, in this case Sun Solaris 10 ftpd. An attacker could embed a payload such as the following to execute commands on ftpd. <img src="ftp://.....////SITE%20CHMOD%20777%20FILENAME";> The NetBSD team addressed this issue by failing on large commands. The...

Multiple Adobe products vulnerable to XML External Entity Injection And XML Injection

I haven't really been posting advisories on this website for the past year, however a series of XML Injection/XXe vulnerabilities in Adobe products caught my eye. XML Injection is to web services, what XSS is to web pages (an attacker controllable application response able to perform abuses against the consumer). This advisory...

Nikto version 2.1.1 released

Sullo has sent the following announcement to the full disclosure mailing list indicating a new release of Nikto. "I'm happy to announce the immediate availability of Nikto 2.1.1! Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6100 potentially dangerous files/CGIs,...

Announcement: WASC Threat Classification v2 is Out!

I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is...

Experimenting With WASC Threat Classification Views: Vulnerability Root Cause Mapping

I currently lead the WASC Threat Classification Project and we're expecting to publish our latest version next month. One of the biggest changes between the TCv2 and TCv1 is that we're doing away with single ways to represent the data. In the TCv1 we had a single tree structure to convey appsec...

Clientless SSL VPN products break web browser domain-based security models

A new CERT advisory has been published outlining a weakness in the way web based SSL clients operate, resulting in a Same Origin Policy breakage. Here's the meaty details. "As the web VPN retrieves web pages, it rewrites hyperlinks so that they are accessible through the web VPN. For example, a link...

Nozzle: A Defense Against Heap-spraying Code Injection Attacks

Microsoft has been working on a tool called 'Nozzle' to prevent the exploitation of heap spraying attacks and released a whitepaper describing the process. From the whitepaper. "Heap spraying is a new security attack that significantly increases the exploitability of existing memory corruption errors in type-unsafe applications. With heap spraying, attackers leverage...

Heading out to AppsecDC

I'll be heading out to AppSecDC to present Transparent Proxy Abuse on Thursday, so if you're attending and want to chat about appsec I'll be available after my talk. Here's a teaser of my presentation I'll be presenting a video demonstrating this abuse case against Squid and Mac OS X Parental Control...

TLS negotiation flaw published

Steve Dispensa and Marsh Ray have published a paper describing a weakness in the TLS negotiation process. This is the same attack discussed on the IETF TLS list. From the whitepaper "Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle...

MS09-048: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution

Microsoft has just published a remote vulnerability in the windows TCP/IP stack. "This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service....

Article: Bypassing DBMS_ASSERT in certain situations

David "I like to beat up on oracle" Litchfield has published a new paper outlining how DBMS_ASSERT can be misused in such a way that SQL Injection is possible. From the whitepaper "The DBMS_ASSERT builtin package can be used by PL/SQL developers to protect against SQL injection attacks[1]. In [2] Alex Kornbrust...

Wordpress Admin Password Reset Vulnerability

"Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and...

Firefox 3.5 0Day published

"The exploit portal Milw0rm has published an exploit for Firefox 3.5. The exploit demonstrates a security vulnerability by starting the Windows calculator. In testing by heise Security, the exploit crashed Firefox under Vista, but security service providers Secunia and VUPEN confirmed that attackers using prepared websites can infect PCs. The cause of...

Months later, more products identified using exploitable transparent proxy architecture

It's been more than 3 months since I published my paper on abusing transparent proxies with flash, and 4 months since CERT's Advisory (VU#435052). Since that time additional products have been identified as being exploitable. Still Vulnerable Squid http://www.squid-cache.org/ Astaro http://www.astaro.org/astaro-gateway-products/web-security-http-https-ftp-im-p2p-web-filtering-antivirus/24916-socket-capable-browser-plugins-result-transparent-proxy-abuse.html QBik Wingate http://www.securityspace.com/smysecure/catid.html?ctype=cve&id=CVE-2009-0802 Tiny Proxy? https://packetprotector.org/forum/viewtopic.php?id=4018 Smoothwall, SchoolGuardian, and NetworkGuardian http://www.kb.cert.org/vuls/id/MAPG-7M6SM7...

WASC Threat Classification 2.0 Sneak Peek

Here is a sneak peek at the WASC Threat Classification v2.0. We've been working on this for more than a year and it's been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed. Mission statement "The Threat Classification v2.0...

Three Web Application Firewall Advisories, Whitepaper Published

Michael Kirchner and Wolfgang Neudorfer have published 3 advisories in various Web Application Firewall products. Artofdefence Hyperguard Web Application Firewal (Remote Denial of Service) http://www.h4ck1nb3rg.at/wafs/advisory_artofdefence_hyperguard_200907.txt phion airlock Web Application Firewall (Remote Denial of Service via Management Interface (unauthenticated) and Command Execution) http://www.h4ck1nb3rg.at/wafs/advisory_phion_airlock_200907.txt radware AppWall Web Application Firewall (Source code disclosure on management...

Google Chrome Fixes Buffer Overflow Vulnerability

"Google Chrome 2.0.172.33 has been released to the Stable and Beta channels. This release fixes a critical security issue and two other networking bugs. CVE-2009-2121: Buffer overflow processing HTTP responsesGoogle Chrome is vulnerable to a buffer overflow in handling certain responses from HTTP servers. A specially crafted response from a server could...

Session Attacks and ASP.NET - Part 1

Sans has published part 1 of an article discussing Session Fixation attacks against .NET applications. "I’ve spent some time recently looking for updated information regarding session attacks as they apply to ASP.NET and am still not completely satisfied with how Microsoft has decided to implement session management in ASP.NET 2.0+ (haven’t looked...

Article: 'Setting the appropriate security defect handling expectations in development and QA

I have just published the following article on handling application security defects (vulnerabilities) in development and QA. "If you've worked in information security you've likely had to report a security defect to development in an effort to remediate the issue. Depending on your organization and its culture this can be a rather...

New paper by Amit Klein (Trusteer) - Temporary user tracking in major browsers and Cross-domain information leakage and attacks

Amit Klein posted the following to the web security mailing list yesterday. "User tracking across domains, processes (in some cases) and windows/tabs is demonstrated by exploiting several vulnerabilities in major browsers (Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and to a limited extent Google Chrome). Additionally, new cross-domain information leakage, and cross...

Understanding Microsoft's KB971492 IIS5/IIS6 WebDAV Vulnerability

Steve Friedl posted the following to bugtraq this afternoon. "There has been a fair amount written on the vulnerability itself, but there's a large cohort who has no idea if their systems are at risk ("What is WebDAV, and how do I know if I have or need it???"). So I've written...

Compromising web content served over SSL via malicious proxies

Microsoft research has published an excellent paper describing many browser flaws. The use case primary involves an attacker hijacking the explicitly configured proxy used by the user and via HTTP code trickery they can access the content on an HTTPS established connection. It also outlines browser flaws involving caching of SSL certs...

OpenSSH Protocol Pwned

"The flaw, which lies in version 4.7 of OpenSSH on Debian/GNU Linux, allows 32 bits of encrypted text to be rendered in plaintext, according to a research team from the Royal Holloway Information Security Group (ISG). An attacker has a 2^{-18} (that is, one in 262,144) chance of success. ISG lead professor...

Java Flaw still not fixed in Mac OS X

"According to Julien Tinnes in the CR0 Blog, it appears that Apple's recent security update failed to fix a Java flaw that was reported to Sun back in August 2008 and patched by Sun way back in December 2008. The upshot: according to the blog (and I've yet to be able to...

IIS6.0 WebDav Unicode Remote Auth Bypass

Update: Microsoft has posted some additional information in multiple entries. A new unicode bug in IIS has been discovered which allows an attacker access to resources behind password protected sites. This issue only seems to affect IIS 6 (5 and 7 seem immune) and no fix has been issued at this time....

Apple releases OS X 10.5.7 security updates

"Apple released an update to its Leopard operating system yesterday that comes loaded with a host of security and bug fixes as well as added hardware support. The Cupertino-based firm said OS X 10.5.7 patches several security loopholes related to PHP, CoreGraphics, Apache Web server and the company’s browser Safari. Three separate...

Thousands of Vulnerabilities Detected In FAA's Air Traffic Control Apps

"A government audit (PDF) has pinpointed more than 3,800 vulnerabilities -- 763 of which are high-risk -- in the Federal Aviation Administration's Web-based air traffic control system applications, including some that could potentially put air travel at risk. The U.S. Department of Transportation report, with the help of auditors from KPMG, determined...

JavaScript flaw reported in Adobe Reader

"The United States' Computer Emergency Readiness Team (US-CERT) warned users of the ubiquitous Adobe Reader to disable the program's use of Javascript after Adobe warned on Monday that a possible flaw had been found. In a post to its product security blog, the company said it was investigating reports of a serious...

Google Chrome Universal XSS Vulnerability

"During unrelated research, I came across a number of security issues that reside in various parts of Google's web browser - Google Chrome. These issues pose a major threat to any user that browses a maliciously crafted page using Internet Explorer and has Google Chrome installed alongside. Using a vulnerability in the...

OAuth Session Fixation Security Flaw Discovered

From the advisory "The attack starts with the attacker logging into an account he owns at the (honest) Consumer site. The attacker initiates the OAuth authorization process but rather than follow the redirect from the Consumer to obtain authorization, the attacker instead saves the authorization request URI (which includes the Request Token)....

Microsoft April patch tuesday addresses 8 security issues

"MS09-010 Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477) This security update resolves two publicly disclosed vulnerabilities and two privately reported vulnerabilities in Microsoft WordPad and Microsoft Office text converters. The vulnerabilities could allow remote code execution if a specially crafted file is opened in WordPad or...

Socket Capable Browser Plug-ins Result In Transparent Proxy Abuse

For over a year in my spare time I've been working on a abuse case against transparent proxies at my employer, and have just released my latest paper '"Socket Capable Browser Plugins Result In Transparent Proxy Abuse". When certain transparent proxy architectures are in use an attacker can achieve a partial Same...

Google Docs suffers serious security lapse

"Google confessed to a serious bug in its Docs sharing system over the weekend, but downplayed the security cockup by claiming only a tiny number of users had been affected. The internet search kingpin said that less than 0.05 per cent of Google Docs accounts were hit by a privacy breach after...

Twitter SMS spoofing

"A fix against an SMS spoofing flaw involving micro-blogging service Twitter offers only partial protection. Tests by Heise Security found that providing a user knew the number of a phone associated with a Twitter account, it would be possible to use an SMS sender faking service to post fake status updates that...

Dan Bernstein Confirms Security Flaw In Djbdns

"Dan Bernstein has just admitted that a security issue has been found in the djbdns software, one of most popular alternatives for the BIND nameserver. As part of the djbdns security guarantee, $1000 will be paid to Matthew Dempsky, the researcher that found the bug. The bug allows a nameserver running djbdns...

Firefox 3.0.7 fixes multiple security flaws

"Mozilla Corp. today patched eight security vulnerabilities in Firefox, half of them critical memory corruption flaws in the browser's layout and JavaScript engines. Firefox 3.0.7, the second security update this year to the open-source browser, fixes about the same number of bugs that Mozilla patched a month ago. Of the eight vulnerabilities,...

Opera 9.64 Security Updates and Enhancements

From Opera's changelog Fixed an issue where specially crafted JPEG images ccould be used to execute arbitrary code, as reported by Tavis Ormandy of the Google Security Team; see our advisory Fixed an issue where plug-ins could be used to allow cross domain scripting, as reported by Adam Barth; details will be...

Caching bugs exposed in second biggest DNS server

"For years, cryptographer Daniel J. Bernstein has touted his djbdns as so secure he promised a $1,000 bounty to anyone who can poke holes in the domain name resolution software. Now it could be time to pay up, as researchers said they've uncovered several vulnerabilities in the package that could lead end...

CERT Advisory VU#435052: An Architectural Flaw Involving Transparent Proxies

For the past year in my spare time I've been researching a flaw involving transparent proxies and today CERT has published an advisory for this issue. If you have a vulnerable proxy on your intranet NOW is the time to patch (details of affected vendors in the cert advisory). QBIK New Zealand...

Practical Example of csSQLi Using (Google) Gears Via XSS

"Yesterday, at the Blackhat DC security conference, I spoke about the dangers of persistent web browser storage. Part of the talk focused on how emerging web browser storage solutions such as Gears (formerly Google Gears) and the Database Storage functionality included in the emerging HTML 5 specification, could be attacked on sites...

Bot Busts Newest Hotmail CAPTCHA

"The botnet, or collection of compromised PCs, can decipher Live Hotmail's CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) registration safeguard in about 20 seconds, said Websense Inc. security researcher Sumeet Prasad. CAPTCHA is the term for the distorted characters that many Web sites, such as e-mail services...

MS09-002 exploit in the wild

Sans is reporting the MS09-002 exploit is in the wild. "Several AV vendors reported about MS09-002 exploits in the wild. We can confirm this – the exploit for the CVE-2009-0075 vulnerability (Uninitialized Memory Corruption) in Internet Explorer 7 is definitely in the wild and working as charm on an unpatched Windows XP...

F-Secure Hacked Via XSS, SQL injection

"A Romanian hacker site said on Wednesday it was able to breach the website of Helsinki-based security firm F-Secure just as it had gained access to the sites of two other security companies earlier in the week. F-Secure is "vulnerable to SQL Injection plus Cross Site Scripting," an entry on the HackersBlog...

SQL Injection in ProFTPd

Just a friendly reminder that SQL Injection is not limited to web applications. Link http://isc.sans.org/diary.html?storyid=5845

Putting Vulnerabilities in Perspective

"AppSec Notes complains that Netflix has not fixed all of their CSRF vulnerabilities. You can no longer access account information, billing information, change shipping address, or anything of value, but you can still add movies to someone’s queue. This apparently still bothers the author who has a note of annoyance that Netflix...

Microsoft Security Bulletin MS09-002

"Microsoft published four patches on Tuesday to close serious vulnerabilities in its Internet Explorer browser, Exchange e-mail server and Microsoft SQL server. The fixes, which were released on Microsoft's regular monthly schedule, close two Critical vulnerabilities in Internet Explorer 7 running on Windows XP that could allow a malicious Web site the...

Application Security Vendors Need Help With Reporting

I've been reading web application vulnerability reports from tools and services for 6-7 years and found that 99% of these reports are geared towards security engineers or system administrators. Many of the reports I see focus on The type of flaw and what it its impact is The URL affected Links to...

Security Vendor Kasperky Hacked Via SQL Injection

A security lapse at Kaspersky has exposed a wealth of proprietary information about the anti-virus provider's products and customers, according to a blogger, who posted screen shots and other details that appeared to substantiate the claims. In a posting made Saturday, the hacker claimed a simple SQL injection gave access to a...

PHP filesystem attack vectors

ascii writes "On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some time before that was a new attack vector for filesystem functions (fopen, (include|require)[_once]?, file_(put|get)_contents, etc) for the PHP language. It was a path normalization issue and I asked them to keep it “secret” [4],...

PHPBB Server Compromised, Team Apologies

"We took area51.phpBB.com down along with phpBB.com to ensure integrity and prevent further damage. While we actively work to bring phpBB.com back online, we would also like to inform you of the damage that has been done. The attacker gained entry through the PHPList application and was able to dump a complete...

The security industry needs to re-align its training expectations for QA

I've been involved in the security community for over 10 years and have worked for small, medium, and large companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and...

A run down of the major security mailing lists

Here's a run down of the main mailing lists that I follow. While most of these are known in the security industry, many people who frequent this site are from various backgrounds and may find this list useful. Bugtraq: "BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and...

Safari RSS Reader Vulnerability

In 2006 I gave a talk at blackhat on the risks of RSS vulnerabilities. It appears Safari has a flaw in its RSS reader as outlined by Brian Mastenbrook. "The original version of this page contained a simple workaround for this issue which I believed would protect users against this problem. I...

Oracle Releases Critical Patch Update With 41 Fixes

"Oracle delivered 41 security fixes to its customers in its first critical patch update (CPU) of the year. Among those fixes are patches for serious flaws affecting Oracle WebLogic Server and Windows versions of Oracle Secure Backup. According to Oracle, a vulnerability in the WebLogic Server plugins for Apache, Sun and IIS...

Microsoft Patch Tuesday: MS09-001

Microsoft has just published MS09-001 . This update addresses an SMB flaw. "Vulnerabilities in SMB Could Allow Remote Code Execution (958687) This security update resolves several privately reported vulnerabilities in Microsoft Server Message Block (SMB) Protocol. The vulnerabilities could allow remote code execution on affected systems. An attacker who successfully exploited these...

CWE & SANS TOP 25 Most Dangerous Programming Errors

"Most of the vulnerabilities that hackers exploit to attack Web sites and corporate servers are usually the result of common and well-understood programming errors. A list of 25 of the most serious such coding errors is scheduled to be released later today by a group of 30 high-profile organizations, including Microsoft, Symantec,...

New DNSSEC Bind Flaw Patched

"Security researcher Dan Kaminsky made headlines last year when he discovered a critical DNS flaw. If left unpatched it could have crippled vast parts of the Internet. As 2009 starts up, a new DNS (define) flaw has emerged, but the severity of the threat is less pronounced. ISC (Internet Systems Consortium) the...

Oracle to issue 41 patches on January 13th

"Next Tuesday (13 January) promises to be a busy day for hard-pressed sys admins. Although Microsoft's regular monthly Patch Tuesday update promises only one bulletin, a critical fix for Windows1, Oracle's quarterly batch weighs in at 41 fixes. The updates fix vulnerabilities across "hundreds of Oracle products", an alert from Oracle warns....

MS08-067 Worm on the Loose

Dshield has published a report of a new MS08-067 worm spreading. "It does various things to install and hide itself on the infected computer. It removes any System Restore points that the user has set and disables the Windows Update Service. It looks for ADMIN$ shares on the local network and tries...

Thunderbird 2.0.0.19 Released With Security Fixes

MFSA 2008-60 - Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) MFSA 2008-61 Information stealing via loadBindingDocument MFSA 2008-64 XMLHttpRequest 302 response disclosure MFSA 2008-65 Cross-domain data theft via script redirect error message| MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters MFSA 2008-67 Escaped null characters ignored by CSS parser...

MD5 considered harmful today: Creating a rogue CA certificate

UPDATE: I've added a link to the presentation slides and some other sites providing coverage of this. The following paper was published today at the CCC conference by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. "We have identified a vulnerability in the...

Scammers Use Microsoft and IRS Open Redirects To Deploy Malware

"There is a new technique for luring unsuspecting users into installing viruses on their systems. Criminals will use a combination of Search Engine Optimization (SEO) techniques and common redirects that can be found on Microsoft.com and the IRS.gov websites. Here is how it works. When users are on the IRS website and...

Zero-Day SQL Server Flaw Could Allow Remote Code Execution

"Microsoft is warning users of a zero-day vulnerability discovered in SQL Server, and that exploits of the flaw have already been published. The software giant yesterday issued a security advisory outlining a flaw that could allow remote code execution on many versions of SQL Server. The company has not had time to...

MS08-078 and the SDL

Michael Howard from Microsoft has posted information on the recent IE bug and why Microsoft's SDL failed to discover it. "Every bug is an opportunity to learn, and the security update that fixed the data binding bug that affected Internet Explorer users is no exception. The Common Vulnerabilities and Exposures (CVE) entry...

Thousands of legitimate sites SQL injected to serve IE exploit

"Once again confirming the trend of having more legitimate sites serving exploits and malware than purely malicious ones, Chinese hackers have been keeping themselves busy during the last couple of days, launching massive SQL injection attacks affecting over 100,000 web sites. The SQL injection attacks serving the just patched Internet Explorer XML...

Microsoft issues emergency patch for IE

"Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild. Redmond issued advanced notice for tomorrow's fix, describing the out-of-cycle patch as protection from "remote code execution." Unscheduled updates are pretty rare for Microsoft, stressing the potentially serious...

FireFox 3.0.5 fixes three critical security flaws

"Mozilla has rushed out updates to plug a few critical holes in versions 2 and 3 of its popular open source Firefox browser. Firefox 3.0.5 fixes three critical security flaws in the browser, while 2.0.0.19 stitches four critical vulns. Mozilla said that XSS vulnerabilities in SessionStore, XSS and so-called JavaScript “privilege escalation”...

SUN Fixes GIFARs

"Last week, Sun released a patch for a vulnerability I reported to them. The patch I’m talking about fixes the “GIFAR” issue. I was unable to speak on the issue at Black Hat (for various reasons), but Nate McFeters did a great job of presenting the concept of GIFARs at Black Hat...

Unicode attacks and test cases: IDN and IRI display, normalization and anti-spoofing

"Internationalized Resource Identifiers (IRI’s) are a new take on the old URI (Uniform Resource Identifier), which through RFC 3986 restricted domain names to a subset of ASCII characters - mainly lower and upper case letters, numbers, and some punctuation. IRI’s were forecasted many years ago by Martin Dürst and Michel Suignard, and...

Opera releases update for 'extremely severe' vulns

"Opera pushed out an update to its popular web browser on Tuesday that fixes vulnerabilities it described as "extremely severe". The update fixes seven security bugs, some of which were previously known. Version 9.63 of the browser addresses separate code injection risks stemming from flaws in HTML parsing and text inputing, respectively....

Google Chrome Receives Lowest Password Security Score

"Google's new web browser may be fast and slim, but the password management features it offers are full of bugs. Chapin Information Services (CIS) reported critical vulnerabilities in this software during its beta period, all of which were unfixed at release time. Among the problems are three in particular that, when combined,...

Microsoft publishes uber patch to address 28 vulnerabilities

"Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked "critical," in the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago. Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in its...

DNS Vulnerability Leaked By Matasano Security After Being Asked Not To By Vulnerability Discoverer

"Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers...

Spring Framework vulnerabilities

Michelle let us know about the following story on techtarget "A recent security assessment of an application by Ounce Labs has resulted in the discovery of two vulnerabilities that can affect Java Web applications that use the Spring Framework. Spring has been downloaded more than 5 million times to date, which means...

Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)

"This paper draws attention to how the use of common programming APIs and practices could lead to flaws in the processing of numeric data, which could in-turn allow attackers to manipulate the outcome of transactions or otherwise interfere with the accuracy of calculations. It discusses the technical vulnerabilities typically observed in both...

Fallout From the Fall of CAPTCHAs

"CAPTCHA went from relatively obscure security measure perfected in 2000 by researchers at Carnegie Mellon University to deployment by most of the major Web e-mail sites and many other Web sites by 2007. Sites such as Yahoo Mail, Google's Gmail and Microsoft's Hotmail all used -- and, for that matter, continue to...

Widescale DNS flaw discovered

A pretty nasty DNS vulnerability has been discovered in 81 products by Dan Kaminsky. This vulnerability type seems to be the same described by Amit Klein and involves abusing the PRNG involved in transactions on DNS queries. Long story short if you run a vulnerable caching DNS server you can have your...

Firefox 2.0.0.15 Addresses Multiple Security Issues

Firefox 2.0.0.15 was released addressing the following security issues. MFSA 2008-33 Crash and remote code execution in block reflow MFSA 2008-32 Remote site run as local file via Windows URL shortcut MFSA 2008-31 Peer-trusted certs can use alt names to spoof MFSA 2008-30 File location URL in directory listings not escaped properly...

Ruby creators warn of serious flaws

"The Ruby programming language, which has become popular as the basis for web 2.0 sites such as Twitter, contains serious security flaws that could allow attackers to take over an organization's web server, according to the Ruby development team. The "disturbing" flaws, which were disclosed on Friday, could affect nearly any typical...

Microsoft Patch Tuesday: Microsoft releases four critical patches

"Microsoft has issued seven patches addressing 10 vulnerabilities, including four rated 'critical' as part of this months patching cycle. The critical patches apply to its Windows operating system (OS), Internet Explorer (IE) and, unusually, a Bluetooth component. The Bluetooth patch, MS09-030, targets a third-party ActiveX control that comes bundled with Logitech hardware,...

Whitepaper: DoS Attacks Using SQl Wildcards

Ferruh Mavituna has just published a whitepaper titled "DoS Attacks Using SQL Wildcards" where he discusses CPU utilization based dos against SQL Server where user data is thrown into sql statements. That is all. Whitepaper Link: http://www.portcullis-security.com/uplds/wildcard_attacks.pdf

Apache Debates the Apache UTF-7 XSS

There is a great debate on the bugtraq mailing list regarding the apache utf7 xss issue. In this debate William Rowe (Apache) discusses why the Apache utf7 vulnerability is in fact not a vulnerability in Apache but in Internet Explorer for not following specifications properly. William first posted to bugtraq http://seclists.org/bugtraq/2008/May/0166.html with...

IIS Vulnerability Documented by Microsoft - Includes Workarounds

SANS reports "Microsoft has just put out an advisory for a privilege escalation vulnerability in Windows that affects IIS and potential SQL server (951306). Basically, authenticated users can use this vulnerability to become LocalSystem. This is probably more of a problem for shared hosting environments were clients could upload malicious code to...

XSS in ISP ad page allows compromise of any website

"When users visit a website like Wired.com, the DNS system maps the domain name into an IP address such as 72.246.49.48. But if a particular site does not exist, the DNS server tells the browser that there's no such listing and a simple error message should be displayed. But starting in August...

DNS lords expose netizens to 'poisoning'

"More than a decade after serious holes were discovered in the internet's address lookup system, end users remain vulnerable to so-called domain name system cache poisoning, a security researcher has warned. Developers of the software that handles DNS lookups have scrambled to patch buggy code that could allow the attacks, but not...

Web developers, fix thy Flash

"While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals attending the conference on Wednesday. Using a specially-crafted...

Microsoft admits it knew about, didn't patch, bugs

"Microsoft Corp.'s security team today acknowledged that it knew of bugs in its Jet Database Engine as far bask as 2005 but did not patch the problems because it thought it had blocked the obvious attack vectors. A researcher at Symantec Corp. said Microsoft should have fixed the flaws years ago. In...

PHPBB flaw used to infect infect 200,000 websites with pr0n, fake trojan codec

"Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack.. Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages. Most of...