For various reasons I'm going to report this as neutral as possible. Apparently F5 and Acunetix both web security vendors were found to have XSS holes in their website according to RSnake's forum. To be honest with you yeah it is embarrassing but s!@# happens however that isn't why I'm posting this...
CGISecurity Interview: Interviewing Ivan Ristic the Author of ModSecurity
After the announcement that ModSecurity was purchased by Breach Security I decided to email Ivan and ask him a few questions that many of us are wondering regarding the future of modsecurity. How will the sale of ModSecurity to breach affect existing users? "There are going to be many positive changes resulting...
IE 7 plus Vista security measures stop latest IE 0day
A great article at ZDNet explaining how Vista + IE7 stopped the latest IE 0day from exploiting the machine. "The initial security warnings are hardly perfect. I've seen similar ActiveX opt-in dialog boxes for other built-in ActiveX components. How is an unsuspecting user supposed to know which one is safe and which...
Web based vulns top newly discovered issues
"The takeaway is that researchers are paying a lot more attention to web vulnerabilities, and if companies don't want to get caught up in that, then they need to pay attention to those flaws," said Steven Christey, the security researcher that authored the draft report and the CVE Editor for The MITRE...
Microsoft Patch Tuesday
5 patches have been released by microsoft to address vulnerabilities discovered in Internet Explorer, Indexing Service, Publisher, Reliable Multicast Program, and the Server Service. Additional information about each issue can be found at the SANS link below. To protect yourself from these issues run Windows Update Sans Link: http://isc.dshield.org/diary.php?storyid=1691
Top 5 signs you've selected a bad web application package
5. The vendor's idea of a patch process involves you editing line X and replacing it with new code 4. The amount of total downloads is less than the application's age 3. It isn't running on the vendors homepage 2. The readme file states that you need to chmod a certain file...
More RSS Security Issues Discovered
GNUCitizen has discovered an RSS reader vulnerability in Sage (a firefox plugin). "I turned off HTML tags and continued on as normal. However, something odd happened. When rendering my whitepaper “Awakening the Sleeping Giant” an insert of JavaScript was executed in my browser. How bazaar I thought. The security enabled feature makes...
RSS Security Issues Discovered in ICQ
"Security problems found in the ICQ Toolbar v1.3 may allow attackers to control and change configuration settings and to inject scripting code in RSS feed contents and execute it in the contetxt of the feed interface (IE's Local Zone)" I released a paper and gave a presentation at blackhat this year about...
Microsoft Research Builds BrowserShield
"With BrowserShield, Wang argues, many such attacks could be blocked. BrowserShield can be used as a framework that rewrites HTML pages to deny any attempt at executing harmful code on browsers. "We basically intercept the Web page, inject our logic and transform the page that is eventually rendered on the browser," Wang...