The Glider

In 2006 I gave a talk at blackhat on the risks of RSS vulnerabilities. It appears Safari has a flaw in its RSS reader as outlined by Brian Mastenbrook.”The original version of this page contained a simple workaround for this issue which I believed would protect users against this problem. I…

“Oracle delivered 41 security fixes to its customers in its first critical patch update (CPU) of the year. Among those fixes are patches for serious flaws affecting Oracle WebLogic Server and Windows versions of Oracle Secure Backup. According to Oracle, a vulnerability in the WebLogic Server plugins for Apache, Sun and…

Microsoft has just published MS09-001 . This update addresses an SMB flaw. “Vulnerabilities in SMB Could Allow Remote Code Execution (958687) This security update resolves several privately reported vulnerabilities in Microsoft Server Message Block (SMB) Protocol. The vulnerabilities could allow remote code execution on affected systems. An attacker who successfully exploited…

Google has added a HTTPS browsing feature to chrome.From the changelog”A new HTTPS-only browsing mode. Add –force-https to your Google Chrome shortcut, and it will only load HTTPS sites. Sites with SSL certificate errors will not load. ” Release Notes 2.0.156.1 http://dev.chromium.org/getting-involved/dev-channel/release-notes/releasenotes201561Very cool.

“COMPUTER hacker Gary McKinnon has signed a formal confession in a last-ditch attempt to avoid his extradition to the US, his family have confirmed.Former Highgate Wood School pupil Mr McKinnon, 42, is currently awaiting extradition after being accused of causing $700,000 worth of damage when he allegedly hacked into US security…

“Most of the vulnerabilities that hackers exploit to attack Web sites and corporate servers are usually the result of common and well-understood programming errors. A list of 25 of the most serious such coding errors is scheduled to be released later today by a group of 30 high-profile organizations, including Microsoft,…

“Hackers have taken down two high-profile targets as they continue their ongoing Web attacks in support of Palestine, defacing Web sites run by the U.S. Army and the North Atlantic Treaty Organization (NATO).The attacks on Thursday took down the Web sites for The United States Army Military District of Washington and…

“Security researcher Dan Kaminsky made headlines last year when he discovered a critical DNS flaw. If left unpatched it could have crippled vast parts of the Internet. As 2009 starts up, a new DNS (define) flaw has emerged, but the severity of the threat is less pronounced. ISC (Internet Systems Consortium)…

“Next Tuesday (13 January) promises to be a busy day for hard-pressed sys admins. Although Microsoft’s regular monthly Patch Tuesday update promises only one bulletin, a critical fix for Windows1, Oracle’s quarterly batch weighs in at 41 fixes. The updates fix vulnerabilities across “hundreds of Oracle products”, an alert from Oracle…

Lenny Zeltser from dshield has posted an amusing list of ways to suck at information security broken upin the following categories.- Security Policy and Compliance- Security Tools- Risk Management- Security Practices- Password ManagementHere’s a snippet”Security Tools Deploy a security product out of the box without tuning it. Tune the IDS to…