Posts

Showing posts from 2008

MS08-067 Vulnerability in Server Service Could Allow Remote Code Execution

MSRC INFO Dennis Fisher gives a nice and simple breakdown of one piece of known malware targeting this vulnerability here . GD

In the News

ClickJack exploits  (from Rsnake at  ha.ckers.org) Today is the day we can finally start talking about clickjacking. This is just meant to be a quick post that you can use as a reference sheet. It is not a thorough advisory of every site/vendor/plugin that is vulnerable - there are far too many to count. Jeremiah and I got the final word today that it was fine to start talking about this due to  the click jacking PoC against Flash that was released today  (watch the video for a good demonstration) that essentially spilled the beans regarding several of the findings that were most concerning. Thankfully, Adobe has been working on this since we let them know, so despite the careless disclosure, much of the work to mitigate this on their end is already complete. First of all let me start by saying there are multiple variants of clickjacking. Some of it requires cross domain access, some doesn’t. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Som...

MS Pays you to search

Its latest edition is the Search Perks incentive, which joins Live Search Club, Search and Give, and Live Search Cashback promotions in recent months. Microsoft is getting a little trickier with its latest effort -- you not only have to use Microsoft's Live Search, but you also have to use its Internet Explorer Browser which is bad news for Firefox stalwarts. To join the promotion, users must download a small program. You can't download the program or view the true SearchPerks site from Firefox or Opera browsers. Once you get the program, it tracks your searching and gives you one ticket per search query. You can earn up to 25 tickets a day. In April, users can cash in the tickets for prizes or to give money to charity. Microsoft has not announced the prizes yet, but one of them might start with "V" and end with "ta" according to rumors.

Copyright Czar Coming

It seems the Senate is taking an interest in piracy.... "The Copyright Czar , known formally as the “Intellectual Property Enforcement Coordinator,” will report directly to the White House and Congress while creating and executing nationwide anti-piracy initiatives."

chrome still in the news

Based on the below mentioned post on 0-day.  Chrome is being closely looked at by the security world.  This is likely because everyone has such high hopes and standards for anything Google does. 0-Day Blog

Not alot going on today

Google Chrome vulnerabilities being talked about, I disagree with some folks that feel this tarnishes Google.  This is a beta and their first real attempt at a web browser.  Overall I'm liking it, it lacks some enterprise polish, but should do nicely for surfing normal websites. More talk and details regarding spammers using "legit" hosting services to pettle redirects to malicious websites and content. GD

Spammers use free Web services to shield links

Just read an article at Network World .  It seems spammers are using ImageShack's services to upload .swf files to redirect users to malicious websites.

Google Chrome Day 1 Impressions

It is an extremely fast browser which makes it great for gmail, myspace, and facebook sites. Its lacks a few things however including  Citrix, Sirius, and Daltek support.  Those being a few things I use pretty regularly. I would like to see an option to make the main navigation bar icons smaller, because in IE and FF I always shrink the icons to the smallest possible. It is also vulnerable to the old Safari carpet bomb flaw,  researcher  Aviv Raff   discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug discussed at this year’s Black Hat conference, to trick users into launching executables direct from the new browser. ZDNET Blog PC World Just my thoughts.