-
Microsoft Release 4 Security Fixes
"Microsoft Corp. released four software patches Tuesday to fix security flaws, including one that could allow hackers to take over computers running the company's instant messaging programs. Only one of the flaws carried the company's most severe "critical" rating, but it only applies to the Windows 2000 operating system. To be affected, users would have…
-
Apache 1.3.39, 2.0.61, and 2.2.6 Released to Address XSS Vulnerability in mod_status
A XSS vulnerability has been discovered in apache. "Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection"…
-
Microsoft Opens Whitehat Hacker Blog on MSDN
Microsoft has started a Microsoft Employee Whitehat hacker blog. "Welcome to a new blog from Microsoft. The focus of this blog is likely to be a little different from most other blogs you'll see on blogs.msdn.com. Microsoft employs some of the best hackers in the world and actively recruits them and develops them. They work…
-
Cenzic Patent Case Worries Web Researchers, Vendors
"A patent infringement lawsuit recently filed by Cenzic against SPI Dynamics has Web application security companies and researchers on edge. If successful, the suit — which centers around Cenzic's patent on a Web application vulnerability scanning technology — could mean trouble for other scanner vendors, as well as researchers who develop scanning techniques. Cenzic, which…
-
Microsoft Patch Tuesday Addresses .NET Vuln
"The critical update covers flaws in Excel, Windows Active Directory, and .NET Framework. All create a possible means for hackers to inject hostile code onto vulnerable systems (remote code execution). Separate security bugs in Internet Information Server (Microsoft's web server software) and Microsoft Office Publisher also carry the same risk but earn a lower classification…
-
Average zero-day bug has 348-day lifespan, exec says
"The average zero-day (0day) bug has a lifespan of 348 days before it is discovered or patched, and some vulnerabilities live on for much longer, according to security vendor Immunity Inc.'s chief executive officer. Zero-day bugs are vulnerabilities that have not been patched or made public. When discovered and not disclosed, these bugs can be…
-
Rolling Reviews: Cenzic Hailstorm Enterprise Application Risk Controller
First the review of SPI Dynamics Webinspect was posted and now Networkcomputing has posted the review for Cenzic’s Hailstorm ARC product. "We continue our ongoing review of Web application scanners with a look at Cenzic Hailstorm. While it performed relatively well, Cenzic’s ARC Web Interface could use some gussying up. Cenzic’s Hailstorm Enterprise Application Risk…
-
Cenzic Patents the obvious: Fault Injection!
I monitor google news for anything application security related and found the following announced today by Cenzic. "the U.S. Patent and Trademark Office (PTO) has issued the company U.S. Patent No. 7,185,232, focused on fault injection technology, which is commonly used by most security assessment scanners." – Cenzic Cenzic is not the first application security…
-
Mod_python 3.2.10 Released
"The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the 3.2.10 release of mod_python. Mod_python 3.2.10 is considered a stable release, suitable for production use. Mod_python is an Apache HTTP Server module that embeds the Python language interpreter within the server. With mod_python you can write web-based applications in Python…
-
IIS 7 Shows Continued Security Push
"When IIS 6 was released as part of Windows Server 2003, it signaled a major change in the way that Microsoft approached security in its Web server. Versions of IIS prior to 6 were the main points of attack for major worms and viruses such as Nimda. With IIS 6, Microsoft moved the Web server…
-
Microsoft Patch Time Again
Multiple issues were addressed in this months patch Tuesday including * IIS ASP Local buffer overflow * Excel fixes * DHCP Client Service * Multiple Microsoft Office Issues Patch Link: Microsoft Windows Update
-
Microsoft Releases 8 Patches on Security Patch Tuesday
"Of the eight most serious fixes, two affect Internet Explorer, one for JScript within Internet Explorer, one in Windows Media Player, two in Windows, one in Word, and another in PowerPoint. The patch for Word fixes a highly-publicized zero-day exploit that has already been used in several cyber attacks. The vulnerability can be exploited after…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack