In addition to CGISecurity I work on other side projects from time to time. Below is my second announcement from my latest project. Introduction I have built out several penetration testing programs, both internally and externally at companies such as eBay, Paypal, and Box to name a few. Before you have the...
In 2010 I wrote an article about a flaw Google discovered, and published working exploit code when no fix or mitigation existed. This allowed attackers to immediately start using the flaw to hack Google's own users (in this case, the world). Since then Google has announced a new program 'Project Zero' which...
Rosario Valotta has published an interesting attack against IE that takes advantage of clickjacking. In a nutshell it combines origin flaws within IE with clickjacking to trick a user into copying/pasting their own cookies from any site! Demonstration below The technical details can be found at https://sites.google.com/site/tentacoloviola/cookiejacking and his slides at https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDoxMWJlZTI5ZjVhYjdiODQx
"Luigi Auriemma" has posted an interesting series of SCADA vulnerabilities to the bugtraq security list this morning. From his email "The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment. In case someone doesn't...
Update2: Further proof that people are abusing this in a wide scale and likely wouldn't have had the exploit code not been released. Update: I've clarified a few points and added a few others. Recently Tavis Ormandy (a google employee) discovered a security issue in windows, and days after notifying Microsoft published...
Larry Suto published a report comparing the various commercial web application security scanners. As you'd expect the vendors are likely to respond about how inaccurate the report is, however in this case both HP and Acunetix argued valid points. From Acunetix "They were not found because Larry didn’t authenticated our scanner (didn’t...
Sullo has sent the following announcement to the full disclosure mailing list indicating a new release of Nikto. "I'm happy to announce the immediate availability of Nikto 2.1.1! Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6100 potentially dangerous files/CGIs,...
Apple has published the 10.5.8 Mac OS X update addressing security issues in the following products. bzip2 CFNetwork ColorSync CoreTypes Dock Image RAW ImageIO Kernel launchd Login Window MobileMe Networking XQuery Download Update: http://www.apple.com/support/downloads/ Detailed Information: http://support.apple.com/kb/HT3606
"Apple released an update to its Leopard operating system yesterday that comes loaded with a host of security and bug fixes as well as added hardware support. The Cupertino-based firm said OS X 10.5.7 patches several security loopholes related to PHP, CoreGraphics, Apache Web server and the company’s browser Safari. Three separate...
For the past year in my spare time I've been researching a flaw involving transparent proxies and today CERT has published an advisory for this issue. If you have a vulnerable proxy on your intranet NOW is the time to patch (details of affected vendors in the cert advisory). QBIK New Zealand...
"Microsoft published four patches on Tuesday to close serious vulnerabilities in its Internet Explorer browser, Exchange e-mail server and Microsoft SQL server. The fixes, which were released on Microsoft's regular monthly schedule, close two Critical vulnerabilities in Internet Explorer 7 running on Windows XP that could allow a malicious Web site the...
I've been reading web application vulnerability reports from tools and services for 6-7 years and found that 99% of these reports are geared towards security engineers or system administrators. Many of the reports I see focus on The type of flaw and what it its impact is The URL affected Links to...
anantasec posted a scanner comparison to the web security mailing list today. "In the past weeks, I've performed an evaluation/comparison of three popular web vulnerability scanners.This evaluation was ordered by a penetration testing company that will remain anonymous. The vendors were not contacted during or after the evaluation. The applications (web scanners)...
Microsoft has just published MS09-001 . This update addresses an SMB flaw. "Vulnerabilities in SMB Could Allow Remote Code Execution (958687) This security update resolves several privately reported vulnerabilities in Microsoft Server Message Block (SMB) Protocol. The vulnerabilities could allow remote code execution on affected systems. An attacker who successfully exploited these...
Ryan Barnett has posted an entry on identifying sessions lacking HTTPOnly and secure cookie flags on modsecurity. "In a previous post I showed how you can use both ModSecurity and Apache together to identify/modify SessionIDs that are missing the HTTPOnly flag. I received some feedback where people were asking how to accomplish...
Rafel Ivgi has published an extensive list of IE8 XSS filter evasions. "Aspect9 has discovered several vulnerabilities in Microsoft Windows Internet Explorer 8.0 Beta 2. This new version of Microsoft's famous browser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that safely...
"Microsoft on Tuesday said it plans to kill off its Windows Live OneCare subscription security service in favor of a free offering that will feature a core of essential anti-malware tools while excluding peripheral services, such as PC tune up programs, found in OneCare. The move could help the software maker extend...
"On Oct. 14, 2008, Microsoft added another piece of information to the bulletin summary to better help customers with their risk assessment process: the Exploitability Index. This section is a brief overview to explain how customers can integrate the Exploitability Index with the Severity Rating system into their own risk assessment process....
"Microsoft has explained why it took seven years to patch a known vulnerability. Fixing the bug earlier would have taken out network applications and potential exploits alike, it explained. Security bulletin MS08-068 fixed a flaw in the SMB (Server Message Block) component of Windows, first demonstrated by Sir Dystic of Cult of...
Microsoft has a blog entry on their mentality/process on banning certain API calls to improve their software's security. "Jeremy Dallman here with a quick note about a code sanitizing tool we are making available to support one of the SDL requirements – Remove all Banned APIs from your code. This requirement was...
Matthew Chalmers submitted the following news. "With the theme "Setting the AppSec Agenda for 2009" the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just a...
There is a great debate on the bugtraq mailing list regarding the apache utf7 xss issue. In this debate William Rowe (Apache) discusses why the Apache utf7 vulnerability is in fact not a vulnerability in Apache but in Internet Explorer for not following specifications properly. William first posted to bugtraq http://seclists.org/bugtraq/2008/May/0166.html with...
"Google's search bots, which scour the web constantly for new pages, have begun a new, more active phase of their indexing jobs. In a blog post last week, Jayant Madhavan and Alon Halevy of Google's crawling and indexing team said the company has begun an experiment in which its indexing software experimentally...
"Microsoft Corp.'s security team today acknowledged that it knew of bugs in its Jet Database Engine as far bask as 2005 but did not patch the problems because it thought it had blocked the obvious attack vectors. A researcher at Symantec Corp. said Microsoft should have fixed the flaws years ago. In...
"If you've ever wondered how microsoft.com uses our technology then read on. I recently came across some good information from the folks over at the Operations team at Microsoft.com. The thread basically talks about how we use IIS, Firewalls and Windows Server 2008. I think as we come up to launch next...
"Google has fixed a vulnerability in their Gmail web based email service which would have allowed internet attackers to steal mail messages from users without being noticed. The attack works by forcing a logged-in user to add a mail filter to their Gmail account, thereby allowing their mail to be forwarded to...
"Microsoft Corp. released four software patches Tuesday to fix security flaws, including one that could allow hackers to take over computers running the company's instant messaging programs. Only one of the flaws carried the company's most severe "critical" rating, but it only applies to the Windows 2000 operating system. To be affected,...
A XSS vulnerability has been discovered in apache. "Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that...
Microsoft has started a Microsoft Employee Whitehat hacker blog. "Welcome to a new blog from Microsoft. The focus of this blog is likely to be a little different from most other blogs you'll see on blogs.msdn.com. Microsoft employs some of the best hackers in the world and actively recruits them and develops...
"A patent infringement lawsuit recently filed by Cenzic against SPI Dynamics has Web application security companies and researchers on edge. If successful, the suit -- which centers around Cenzic's patent on a Web application vulnerability scanning technology -- could mean trouble for other scanner vendors, as well as researchers who develop scanning...
"The critical update covers flaws in Excel, Windows Active Directory, and .NET Framework. All create a possible means for hackers to inject hostile code onto vulnerable systems (remote code execution). Separate security bugs in Internet Information Server (Microsoft's web server software) and Microsoft Office Publisher also carry the same risk but earn...
"The average zero-day (0day) bug has a lifespan of 348 days before it is discovered or patched, and some vulnerabilities live on for much longer, according to security vendor Immunity Inc.'s chief executive officer. Zero-day bugs are vulnerabilities that have not been patched or made public. When discovered and not disclosed, these...
First the review of SPI Dynamics Webinspect was posted and now Networkcomputing has posted the review for Cenzic's Hailstorm ARC product. "We continue our ongoing review of Web application scanners with a look at Cenzic Hailstorm. While it performed relatively well, Cenzic's ARC Web Interface could use some gussying up. Cenzic's Hailstorm...
I monitor google news for anything application security related and found the following announced today by Cenzic. "the U.S. Patent and Trademark Office (PTO) has issued the company U.S. Patent No. 7,185,232, focused on fault injection technology, which is commonly used by most security assessment scanners." - Cenzic Cenzic is not the...
"The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the 3.2.10 release of mod_python. Mod_python 3.2.10 is considered a stable release, suitable for production use. Mod_python is an Apache HTTP Server module that embeds the Python language interpreter within the server. With mod_python you can write web-based...
"When IIS 6 was released as part of Windows Server 2003, it signaled a major change in the way that Microsoft approached security in its Web server. Versions of IIS prior to 6 were the main points of attack for major worms and viruses such as Nimda. With IIS 6, Microsoft moved...
Multiple issues were addressed in this months patch Tuesday including * IIS ASP Local buffer overflow * Excel fixes * DHCP Client Service * Multiple Microsoft Office Issues Patch Link: Microsoft Windows Update
"Of the eight most serious fixes, two affect Internet Explorer, one for JScript within Internet Explorer, one in Windows Media Player, two in Windows, one in Word, and another in PowerPoint. The patch for Word fixes a highly-publicized zero-day exploit that has already been used in several cyber attacks. The vulnerability can...
