Security-Protocols

Can this really be true? Im sure it probally is true and the fact the Russians are looking for flaws in Vista doesnt surprise me much either.

The NY Times writes that;

“Microsoft is facing an early crisis of confidence in the quality of its Windows Vista operating system as computer security researchers and hackers have begun to find potentially serious flaws in the system that was released to corporate customers late last month.”

And this post by Larry Selzter eWEEK really makes me laugh;

“Beware of reports like this that make general statements. Obviously RDP isn’t as buggy as he claims. I’ve used it lots of times with no such problems. He probably has a bad driver.”

So the fact that Larry has used RPD lots of times must mean that no way in hell is it vulnerable to security flaws… Genius! Yeah good point Larry, must have just been another bad driver.

• Andres Riancho has released untidy which is a general purpose XML fuzzer. It takes a string representation of a XML as input and generates a set of modified, potentially invalid, XMLs based on the input.
• MSG from metaeye.org has released SQID v0.2 which is a command line SQL injection testing tool.
• A Microsoft Windows Vista exploit has surfaced on a Russian website. From what it looks like, this is a privilege escalation vulnerability within csrss.exe which is the main executable for the Microsoft Client and Server runtime. This flaw is locally exploitable only, and affects all versions of Windows.
• Apple has seeded a build of Mac OSX 10.4.9 to developers on Thrusday, an update which will more than likely be the last to Tiger.
• Japanese researchers have caught a giant Squid off of the Ogasawara Islands which is south of Tokyo.
• Zone-H the site which archives website defacements, gets defaced. Zone-H has written up a full incident analysis report on this.

I hope everyone has a Happy Holidays, and a safe New Years! Thanks for reading my blog.

Security researchers LMH and KF will begin a ‘Month of Apple Bugs‘ in January of 2007. I have been reading the various articles which have been written around this topic and a few interesting quotes from LHM including this one:

“IMHO, Apple should speed up the process, as it takes (a) long time for an issue to get fixed, and more for getting the patch released to the users.”

I have to say that I totally agree with him on this. What LMH should do is a month of bugs for each application which ships with OSX. Like, Month of QuickTime bugs, Month of Safari flaws, etc… Now that would be something interesting to see, and probably not very hard to do either. I have some flaws I will also be releasing in January which were reported to Apple months ago.

• Dancho Danchev has written a technical analysis regarding the Mujahid.
• Three Microsoft Word flaws still remain unpatched. I can only image how many other flaws exist within Word which haven’t been leaked out yet.
• Google enters the domain business with partners GoDaddy and eNom. Googles service will charge $10.00 per year.
• UCLA gets hacked, more than 800,000 students information is compromised. I take it UCLA doesn’t offer a computer security course.
• McAfee publicly flames the Gentoo security team because they were not ‘responsible’ in reporting a flaw within the command line antivirus scanner for Linux. But of course, McAfee is not responsible for selling shitty software in the first place. Its funny how these companies blame the researcher for their own problems.
• Boeing laptop gets stolen from an employees car which contained more than 382,000 employees ID’s.
• SpyFu : I found this great random niche generation site. SpyFoo has a database of over 1.5 million keywords and phrases. So, this really is a great way to analyze your niche and what kind of competition you might be up against.
• Hackers are selling Vista 0day for $50,000.

“My secret to success is telling the truth and not holding back on what others think I shouldn’t say or rap about.”

To me, this kind of applies to a security researchers world. As a vendor will tell them not to tell the public about how much their product sucks, and how many flaws do actually exist until the feel the need to patch them.