Over at Microsoft’s MSDN magazine, there’s a really interesting article by Bryan Sullivan suggesting a defense-in-depth strategy to protect Web sites and applications from cross-site scripting (XSS) and cross-site request forgery (XSRF) attacks.
Browsing Category: Vulnerabilities
Security researchers Billy BK Rios and Nitesh Dhanjani infiltrated the phishing ecosystem and learned a great deal about how they operate. In this video, they explain their findings:
More than a month after the US-CERT alerted users to the problems with the instructions for disabling the AutoRun capability in Windows, Microsoft has released a fix for the AutoRun problem.
Websense researcher Hermes Li has posted a blow-by-blow walkthrough (with screenshots) of the Adobe Acrobat/Reader vulnerability that’s currently under attack.
Excerpt from the blog post:
Google is (indirectly) buying security vulnerabilities from the security research community.
Under the guise of a Native Client Security Contest, the search engine firm is offering big cash prizes to hackers who find bugs and other security flaws in the open-source research technology for running x86 native code in Web applications.
At the Black Hat DC conference last week, Moxie Marlinspike gave a fascinating talk on the various weaknesses in the SSL infrastructure and a number of novel ways he’s discovered to exploit them. Jeff Moss, Black Hat’s founder, talked to Marlinspike about the attacks.
In the wake of the zero-day attacks against Adobe’s Acrobat and Reader product lines, the company is taking a lot of flack for its poor response to handling the issue — specifically around communicating the risks and providing migitation guidance for end users.
Over on the ZDNet Zero Day blog, I lament the absence of real workarounds:
Gmail users have had a rough time of it this week. Just a few hours after the hugely popular webmail service cratered on Tuesday morning, the instant-messaging feature associated with the site became the target of a phishing attack.
Reports have been circulating in the last couple of days about an unpatched vulnerability in Microsoft Excel, and the software giant has now confirmed the problem. The flaw allows attackers to run code on remote machines if they can entice a user into opening a malicious Excel file.
TippingPoint’s Zero Day Initiative has released the rules for this year’s CanSecWest PWN2OWN contest, which will target unpatched flaws in Web browsers and mobile devices.
Among the target list this year: Microsoft’s Internet Explorer 8, Apple’s Safari, Google’s Chrome, Windows Mobile, Google Android, BlackBerry, iPhone and Symbian.