How dangerous are the first Google Chrome vulnerabilities?
By Scott M. Fulton, III, BetaNewsA pair of security holes whose proofs-of-concept were validated by BetaNews show that Google Chrome may not have been as thoroughly inspected as Google would have us believe. But isn’t finding bugs and holes what beta testing is all about?
A beta test is not a product debut, at least not by definition. So the discovery of the first few serious security vulnerabilities in Google’s Chrome shouldn’t, in and of themselves, raise alarm bells. However, one may rationally wonder why a project that was in the works for at least two years, if not four, wasn’t able to find these same security holes long before the independent researchers did.
Last week, we learned that a variant of the same security vulnerability that afflicted Apple’s Safari for Windows two months ago also impacts the first Chrome beta. Although Webkit is the rendering engine for both products, architecturally speaking, this problem actually has nothing to do with rendering, but rather about how downloads are presented and handled.
Security researcher Aviv Raff has become particularly adept at spotting cross-site scripting vulnerabilities, and similar problems where one component is triggered to pass control to another component without appropriate controls in place. Last week’s discovery is a classic Raff feat of juggling. Read more
IE8 beta lets users cover their tracks
By David WorthingtonAugust 29, 2008 — On Wednesday, a beta refresh of Microsoft Internet Explorer 8 that includes new privacy and search features became available for download.
End users are the target audience for beta 2. It introduces granular privacy settings that Microsoft has dubbed InPrivate browsing and InPrivate blocking. InPrivate helps users cover their tracks as they browse by informing them about cookies that may observe their browsing history and permitting them to selectively remove those cookies.
Latest Trend Report on Application Security
Cenzic just announced our latest Trend Report on Application Security for Q2 2008 (PDF format) and would like you to have a copy.
Cenzic analyzed reported information for April 2008 through June 2008 from vulnerability sources such as SecurityFocus, CVE, SANS, USCERT, SecurityTracker, and other third party databases and found these top 10 vulnerabilities listed below. Among the top 10 issues, the usual suspects like Adobe, IBM, Sun, and QuickTime show the most vulnerabilities.
2008 OWASP USA, NYC Conference
3) Weeks until the 2008 OWASP USA, NYC Conference. This event offers tracks for security and development professionals interested in learning how to secure applications and enterprises as well as organization leaders who want to learn more about the state of the appsec industry and its trends.
Speakers include Joe Jarzombek, the Director for Software Assurance in the Department of Homeland Security (DHS), Vadim Okun of National Institute of Standards and Technology (NIST), Philip Venables CISO, Goldman Sachs and over 40 other APPSEC leaders. Attendees should expect to learn about new threat vectors and ways to build secure web application from well known software security experts such as Jeff Williams, Jeremiah Grossman, Robert Hansen and Arshan Dabirsiaghi and many others.
5 Ways To Update Your Windows Operating System
by Varun KashyapWe all know how important software updates are, the importance magnifies even more when the operating system needs updates. Some of the updates might even be critical and eventually end up saving the day or ruining it if you don’t keep your system updated.
Here are 5 ways you can use to update your Windows operating system.
However you will ask “why not do it the usual way I’ve been doing it in the past?”
The answer is that these alternative ways are specially useful for:
- (1) Users that format their hard disks or reinstall Windows frequently.(2) System builders or network administrators seeking to quickly install all updates to multiple Windows PC’s.
(3) Security conscious users who do not wish to expose their computer to the internet.
(4) Users with a slow connection to the internet who want to avoid slow download times by using a faster connection on another computer to download Project Dakota, and burn it to a CD, DVD or flash drive.
(5) Users with a small internet usage cap who don’t want to use it all on updates.
(6) Users who want a faster way to update Windows without having to connect to the internet to download updates.
So here they are:
QualityLogic offers ATS-IF test files
By David WorthingtonA test tools and services company is selling the test pages for developers to validate their applications’ ability to consume and process files from top-selling programs.
Last Wednesday, QualityLogic began offering ATS-IF test suite intermediate files, which are raw data files used in printer/driver testing, for sale at the QualityLogic Online Storefront.
The files are designed to allow test teams to validate the accuracy and performance of their file manipulation processes. ATS-IFs can be sent through a print driver just as an end user would send a print job, according to the company.
ATS-IFs are available for both Windows XP and Vista, in English as well as several Asian languages. Test files are available for applications from Adobe, Corel, Microsoft, OpenOffice.org, Quark and others.
IBM distinguished engineer talks SOA security
By David WorthingtonIn a service-oriented architecture, where boundaries are exposed and services are loosely coupled, identity management, policy enforcement and some automation are required to secure information, says an IBM distinguished engineer.
Raj Nagaratnam, IBM distinguished engineer and chief architect of identity and SOA security, discussed with SD Times the crucial role that he believes identity management plays in SOA security.
Patched DNS servers still vulnerable to cache poisoning
By Dan Goodin in San FranciscoLarge swaths of the internet remain at risk from a potentially crippling vulnerability in the net’s address lookup system even after installing emergency patches, a researcher has warned.
Russian researcher Evgeniy Polyakov posted exploit code here, which he says allowed him to poison domain-name system servers running the most recent version of the Berkeley Internet Name Domain (BIND), the most popular software for translating domain names into numeric IP addresses. The attack, which poisons the records of domain-name system servers with incorrect information, could allow criminals to silently redirect millions of users to fraudulent websites that attempt to steal login credentials or install malware.
Russian cybercrooks turn on Georgia
By John Leyden
Conflict between Georgia and Russia on the ground has been accompanied by the relaunch of cyber-attacks against Georgian government websites.
The Georgian presidential (www.president.gov.ge) and other government websites (such as www.parliament.ge) were left inaccessible by assaults over the weekend, in a repeat of attacks in late July before tensions over the breakaway region of South Ossetia spilled over into armed conflict. The DDoS attack appears to be using a Russian malware variant from the Pinch family and a command and control server based in Turkey. Nationalist articles in Russian language papers are apparently inspiring Russia’s digital underground to get involved in assaults on Georgia’s web-facing systems.
Researchers Outline Security Risks of Social Networking Sites
By2008-08-08
Security researchers at Black Hat laid bare some of the security risks users of social networking sites such as MySpace face as Sophos releases new information about an attack targeting Facebook.
LAS VEGAS—Sometimes our friends aren’t really our friends. Just ask security researchers Nathan Hamiel and Shawn Moyer.