Security-Protocols

A post over that Cult of the Mac blog is stating that this weekend was marked at the iPhone’s coming out party for Apple employess. Apparently some Apple employees decided it was a smart idea to take their iPhones out into the world a week early… Nice! Two people had ran into Apple folks breaking out their revolutionary devices in San Francisco on Saturday night.

One works in a retail store and saw the iPhone-bearer pull out the device when he couldn’t remember the name of a book he was looking for. He was very careful not to show the screen. It was a discrete way to show off.

Someone told me not to do it bc he could get in trouble… Well maybe he shouldn’t be flashing it around at a party! I refuse to jock even though it’s a research op.

Im sure the Apple HR and or legal department will be looking for the culprits.

Source: cultofmac.com

A hacker who goes by the moniker “Gabriel” claims he has hacked someone at Bloomsbury’s in London and has snatched himself a complete digital copy of Harry Potter and the Deathly Hallows. If what “Gabriel” says is true, then that means tons of new spoilers for the book are now available online and we are going to have allot of very upset Harry Potter fans. The spoilers the hacker gives away basically tells who dies in the last book.

“We make this spoiler to make reading of the upcoming book useless and boring,” Gabriel wrote “It’s amazing to see how much people inside the company have copies and drafts of this book.”

We are also have to remember that potential troll posts like this one have also occurred on two previous Harry Potter books; both of which were not true. If you are interested in the potential spoilers, please see the link below:

Harry Potter 0day

So as everyone knows Apple has released Safari 3 beta for OS X and Windows, and security researchers are already dropping flaws on it. I believe Apple has just caused the price of Safari 0day to increase about 1000% by releasing it on Windows.

So I had fuzzed Safari 3 beta last night and within the first five minutes I had found ten flaws most if which were within the SVG parsing engine. I was going to release them last night, but I figured it is still in beta and I would rather save them for when Leopard is released. I figure why keep giving Apple all the free security QA in the first place. Either way, Apple should not be shipping a extremely vulnerable beta out to the public.

It will be interesting to see if Apple responds to all of the security bug reports.

If you want to see Safari 3 beta crash see the old advisory link below:

Apple OS X WebKit WebCore::ArrayImpl “ROWSPAN” DoS

So I received the following email today from some guy named Chris Abraham:

On behalf of the gang at PPP I wanted to help you get rid of ReviewMe as the middleman and do it direct with PayPerPost Direct, www.payperpostdirect.com. PayPerPost Direct would allow you to keep $90 for that post rather than the paltry $50 ReviewMe is paying you.

Check it out at http://www.payperpostdirect.com. Feel free to ping me any time if you have any questions - or for any reason, for that matter. The official announcement is on the PPP blog, http://blog.payperpost.com/2007/05/payperpost-direct-overview.html.

Cheers,

Chris

– Chris Abraham cja@well.com +1 (202) xxx-xxxx
http://chrisabraham.com http://cabraham.com

What a great strategy.. login to a ReviewMe account and start spamming all of the ReviewMe affiliates to get them to switch over to your service. Nice! Yeah, I may not agree with that fact that ReviewMe takes 50% of the revenue but hey its better than nothing right? Chris, I do appreciate the help but please don’t go around spamming people about it.

Was doing some more research on the RectRgn () QuickTime heap overflow vuln on Vista. Below is a screenshot of the crash triggered on Vista. I love the error message:

Buffer overrun detected!
A buffer overrun has been detected which has corrupted the program’s internal state. The program cannot safely continue execution and must now be terminated.