The Glider

“Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild. Redmond issued advanced notice for tomorrow’s fix, describing the out-of-cycle patch as protection from “remote code execution.” Unscheduled updates are pretty rare for Microsoft, stressing the potentially…

“Mozilla has rushed out updates to plug a few critical holes in versions 2 and 3 of its popular open source Firefox browser. Firefox 3.0.5 fixes three critical security flaws in the browser, while 2.0.0.19 stitches four critical vulns. Mozilla said that XSS vulnerabilities in SessionStore, XSS and so-called JavaScript “privilege…

“A glaring vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says. Among other things, the cross-site scripting (XSS) error on americanexpress.com allows attackers to steal users’ authentication cookies, which are used…

“Last week, Sun released a patch for a vulnerability I reported to them. The patch I’m talking about fixes the “GIFAR” issue. I was unable to speak on the issue at Black Hat (for various reasons), but Nate McFeters did a great job of presenting the concept of GIFARs at Black…

“Internationalized Resource Identifiers (IRI’s) are a new take on the old URI (Uniform Resource Identifier), which through RFC 3986 restricted domain names to a subset of ASCII characters – mainly lower and upper case letters, numbers, and some punctuation. IRI’s were forecasted many years ago by Martin Dürst and Michel Suignard,…

“Opera pushed out an update to its popular web browser on Tuesday that fixes vulnerabilities it described as “extremely severe”. The update fixes seven security bugs, some of which were previously known. Version 9.63 of the browser addresses separate code injection risks stemming from flaws in HTML parsing and text inputing,…

“The Metasploit Decloak Engine is now back online with a handful of new updates and bug fixes. Decloak identifies the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. The first version was announced in June of 2006 and was…

“CAT.NET – Community Technology Preview CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It’s exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by…

“Google’s new web browser may be fast and slim, but the password management features it offers are full of bugs. Chapin Information Services (CIS) reported critical vulnerabilities in this software during its beta period, all of which were unfixed at release time. Among the problems are three in particular that, when…

The author of modsecurity Ivan Ristic has decided to leave Breach Security, the company that retains the rights for modsecurity. I interviewed Ivan in 2006 about the sale of Mod_security who eased concerns that it will remain open source. Based on email conversations with him he will not be leaving the…