The newest member of the family joined the world at 8:05 PM on Saturday July 25th! Mom and baby are doing great and expected to be home today.
Now I have a favorite oldest and favorite youngest niece :)
Monday, July 27, 2009
Wednesday, July 15, 2009
tag- you're it Firefox...
Microsoft patched it's latest browser vulnerabilties yesterday, and now there is a zero-day exploit for firefox 3.5! The proof of concept code executes calculator on the compromised machine.
There is a vulnerability in the way Firefox is processing javascript codes which allows an attacker to execute arbitrary code. When the attack doesn't work, the browser crashes, or the script causes FF to give errors.
the proof of concept is here: http://www.milw0rm.com/exploits/9137
When I tried the PoC, I got a message saying the script was unresponsive (A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.) At that point you can either continue or stop the script.
Using the no-script add-in mitigates the threat (unless you choose to allow scripts on the page with the attack!)
No response from FF yet about a patch.
There is a vulnerability in the way Firefox is processing javascript codes which allows an attacker to execute arbitrary code. When the attack doesn't work, the browser crashes, or the script causes FF to give errors.
the proof of concept is here: http://www.milw0rm.com/exploits/9137
When I tried the PoC, I got a message saying the script was unresponsive (A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.) At that point you can either continue or stop the script.
Using the no-script add-in mitigates the threat (unless you choose to allow scripts on the page with the attack!)
No response from FF yet about a patch.
Friday, July 10, 2009
browse & get owned
Microsoft is calling a new vulnerability/exploit floating in the wild a 'browse and get owned' attack vector. The victim simply has to visit the compromised site to get infected -- no handy pop-ups asking you to install stuff, no notices to install new activeX... just a silent install of malware.
Most of the sites that a compromised are currently serving Chinese-related content, but that could change quickly.
MS has published a temporary fix (http://support.microsoft.com/kb/972890) And will have the permanent fix as part of next week's patch Tuesday updates. There are an additional 2 Internet Explorer vulnerabilities being patched next week, but the details of those are sketchy.
The temporary fix uses MS's 'Fix IT' to disable the Video ActiveX control that is vulnerable. There is also an 'unfix it' option to re-enable the control. I ran the fix and so far have not seen any negative effects. Manually disabling the control can be done by editing the registry (not recommend!) to set the 'kill bit' for the control.
Most of the sites that a compromised are currently serving Chinese-related content, but that could change quickly.
MS has published a temporary fix (http://support.microsoft.com/kb/972890) And will have the permanent fix as part of next week's patch Tuesday updates. There are an additional 2 Internet Explorer vulnerabilities being patched next week, but the details of those are sketchy.
The temporary fix uses MS's 'Fix IT' to disable the Video ActiveX control that is vulnerable. There is also an 'unfix it' option to re-enable the control. I ran the fix and so far have not seen any negative effects. Manually disabling the control can be done by editing the registry (not recommend!) to set the 'kill bit' for the control.
Thursday, July 9, 2009
MilW0rm Closes!
** UPDATE**
The site is back online! Apparantly the outcry was sufficient to motivate str0ke and friends to bring the site back up!
** END UPDATE **
A well-known, public site for posting and finding the newest, latest, greatest, coolest exploits has shut down. The owner published the following:
"Well, this is my goodbye header for milw0rm. I wish I had the time I did in
the past to post exploits, I just don't :(. For the past 3 months I have
actually done a pretty crappy job of getting peoples work out fast enough
to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the
authors on this site. I appreciate and thank everyone for their support in
the past. Be safe, /str0ke "
Hopefully someone in the community will step up to get the site back up. While it was used by some malicious people to find exploits -- many of the good guys used the sites in their day to day work creating network defenses and testing their own sites to improve security.
Thanks to str0ke for all the time and work he put into the site! Good luck with whatever you do next
The site is back online! Apparantly the outcry was sufficient to motivate str0ke and friends to bring the site back up!
** END UPDATE **
A well-known, public site for posting and finding the newest, latest, greatest, coolest exploits has shut down. The owner published the following:
"Well, this is my goodbye header for milw0rm. I wish I had the time I did in
the past to post exploits, I just don't :(. For the past 3 months I have
actually done a pretty crappy job of getting peoples work out fast enough
to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the
authors on this site. I appreciate and thank everyone for their support in
the past. Be safe, /str0ke "
Hopefully someone in the community will step up to get the site back up. While it was used by some malicious people to find exploits -- many of the good guys used the sites in their day to day work creating network defenses and testing their own sites to improve security.
Thanks to str0ke for all the time and work he put into the site! Good luck with whatever you do next
Thursday, July 2, 2009
Licensed to ....
hack? New legistlation being proposed by Sens. John “Jay” Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine) introduces the idea that cybersecurity professionals should be certified and licensed. The DoD already tried the certification thing -- cybersecurity people are supposed to have at least one of a number of recognized certifications in order to perform cybersecurity work. Since 2004, only about a third of the people performing IA work actually have a recognized credential.
If this passes, it would be a crime for a non-licensed processional to provide security services to a government agency or any system/network designated as critical infrastructure.
What isn't clear -- what defines a cybersecurity job? security services? Who will decide the licensing requirements? Who picks the certifications that 'count'? And what is part of 'critical infrastructure'?
I believe that certifying professionals is a good thing, but making it illegal for non-certified people to work on systems is a bad idea. Most of the more respected certifications require a certified professional to have years of experience (i.e. CISSP) -- so people could be stuck in a catch-22 situation -- cant do the work without the cert, cant get the cert without having done the work. I also think that passing a test doesn't make you good at something, it means you passed a test. Just looking for that piece of paper when hiring is not going to mean you get better qualified people.
As for licensing -- this brings to mind the PI licensing requirement that Texas has for any one doing 'investigative work'... which includes digital forensics, some computer repair, most incident response work. A PI license tells nothing about a persons qualifications in cyber security, but somehow the Texas Legislature thought requiring a PI license was a good idea.
Someone is going to have to create, maintain, test, and validate all of the licensing criteria. Who would be in charge of this? Would that be the same organization that provided training to pass the tests?
There are a lot more questions than answers with this proposal. And the cynical part of me thinks that it won't matter since it will take many years to develop criteria anyway and by that time, cybersecurity may not be the 'new hotness' and we can all ignore the politicians attempts to define things they really don't understand!
http://defensesystems.com/Articles/2009/06/22/feat-cybersecurity-training.aspx
If this passes, it would be a crime for a non-licensed processional to provide security services to a government agency or any system/network designated as critical infrastructure.
What isn't clear -- what defines a cybersecurity job? security services? Who will decide the licensing requirements? Who picks the certifications that 'count'? And what is part of 'critical infrastructure'?
I believe that certifying professionals is a good thing, but making it illegal for non-certified people to work on systems is a bad idea. Most of the more respected certifications require a certified professional to have years of experience (i.e. CISSP) -- so people could be stuck in a catch-22 situation -- cant do the work without the cert, cant get the cert without having done the work. I also think that passing a test doesn't make you good at something, it means you passed a test. Just looking for that piece of paper when hiring is not going to mean you get better qualified people.
As for licensing -- this brings to mind the PI licensing requirement that Texas has for any one doing 'investigative work'... which includes digital forensics, some computer repair, most incident response work. A PI license tells nothing about a persons qualifications in cyber security, but somehow the Texas Legislature thought requiring a PI license was a good idea.
Someone is going to have to create, maintain, test, and validate all of the licensing criteria. Who would be in charge of this? Would that be the same organization that provided training to pass the tests?
There are a lot more questions than answers with this proposal. And the cynical part of me thinks that it won't matter since it will take many years to develop criteria anyway and by that time, cybersecurity may not be the 'new hotness' and we can all ignore the politicians attempts to define things they really don't understand!
http://defensesystems.com/Articles/2009/06/22/feat-cybersecurity-training.aspx
Subscribe to:
Posts (Atom)