The Pwn2Own contest at the CanSecWest conference has become one of the landmark events on the calendar each year, as researchers gather with nervous vendors in a tiny room to see who can own which browser on which platform and how quickly. But this year’s contest will have a much different look than past editions, with participants vying for more than $100,000 in cash by amassing points over the course of three days.
Dennis Fisher talks with long-lost Threatpost editor Ryan Naraine about the intricacies of the disclosure of the identities of the alleged Koobface gang members, whether we’ll see more of that kind of action and whether the recent trend toward disclosing 0-days in SCADA systems will continue.
Miami, Florida – A no-holds barred presentation at the S4 Conference laid bare the woeful state of security for many industrial control systems that power the world’s critical infrastructure. Organizers have also cooperated with security scanning firms Rapid7 and Tenable to release modules for the Metasploit and Nessus products that can test for the discovered security holes.
MIAMI–The world’s foremost expert on the Stuxnet worm said an analysis of source code for a critical component of the malware prove that Iran’s nuclear program was the target, and that attackers were able to exploit weak design in Siemens software, rather than having to exploit a software vulnerability to carry out their attack.
There’s an odd bit of behavior that some Windows systems will exhibit when certain kinds of installers are launched, automatically elevating the privileges of the installer process to system-level privileges. In theory, the issue shouldn’t be exploitable because at one point in the process the system will generate an MD5 hash of a DLL that’s to be loaded, and unless the attacker can replace that DLL with a malicious one that sports the same hash, an attack is impossible. But those constraints may not hold for all attackers, a researcher says.
UPDATE: A decade ago this week, Chairman Bill Gates kicked off the Trustworthy Computing Initiative at Microsoft with a company-wide memo. The echoes of that memo still resonate throughout the software industry today as other firms, from Apple to Adobe, and Oracle to Google have followed the path that Microsoft blazed over the past ten years.
Oracle on Tuesday unleashed its quarterly critical patch update, which included just two fixes for vulnerabilities in its Oracle Database Server, one of the lower totals seen from the company in recent years. There are a total of 78 patches for a wide variety of Oracle products available today, including Fusion, PeopleSoft and the Sun Product Suite.
MIAMI BEACH–It’s the accepted wisdom these days that many of the traditional security defenses organizations depend on just aren’t effective at deterring attackers. But this glosses over the fact that the last few years have included some major advances in defensive technologies, including the widespread adoption of exploit mitigations such as ASLR and DEP and the use of sandboxes in many applications. However, as these advances have made their way into the mainstream, the folks on the offensive side of the game have not been sitting idly by, either, as was made abundantly clear during the talks at the Infiltrate conference here.
A bug in Microsoft’s Internet Explorer has left users of the popular browser vulnerable to cross-site scripting attacks, according to researchers at the security firm Imperva Data Security.
Oracle has fixes for 78 security vulnerabilities slated for next week as part of its first critical update of the year.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
