January 2007 Archive

« Later January 2007 posts

Lucky 11 vulnerability scanners reviewed

January 2nd, 2007

Once you run them, you will realize that you have 2 million cross-site scripting vulnerabilities on your site that were supposedly fixed months ago by open-source hackers, and the firewall you just paid three grand for will resemble swiss cheese because your junior sys-admin is still trying to get it configured.

Nevertheless, check out the review. (h/t to Slashdot).

Posted in Spamroll | Tags: , | Share | Sphere | No responses »

Month of Apple Bugs gets it’s first swat

January 2nd, 2007

As a result of the “Month of Apple Bugs” initiative, the first pest has been found (h/t to Slashdot). It is a buffer overflow issue that when applied very carefully, could lead to an “exploitable remote arbitrary code execution condition.”

I won’t opine on exactly what “exploitable remote arbitrary code execution condition” Mac users might face, because I simply don’t know (and the find doesn’t mention any proofs of concept in action). I’ll just take their word for it.

UPDATE: Sounds like the bugs started a while ago.

UPDATE 2: Next, please.

UPDATE 3: The quick fix is deemed a counter-attack. The Month of Apple Bugs is not really an attack, so lets just call all this by an infrequently used term….cooperation.

Posted in Spamroll | Tags: , , | Share | Sphere | No responses »

Gmail handing out contact lists

January 2nd, 2007

I have precisely three contacts in my database, and one of those steadfastly refuses being synced to the Blackberry so I’m not worried either way. But for the very popular set who also happen to be cheap enough to use a free email service and silly enough to store their Rolodex in one, Gmail might pose a problem.

Gmail’s JSON platform allowed websites to hijack users’ contact lists - the site appended what’s termed a “callback” variable in the URL, and when a user that was logged into Gmail came by the hacker extracted said information. Harvesting with a twist.

Google was quick to fix the problem, but the underlying risk remains. If you leave your data on someone else’s servers, you are beholden to their security force, however strong or weak it may be. It isn’t the first time something like this has happened at a large free email service provider, and it won’t be the last.

My veterinarian and pizza delivery guy are still safe.

Posted in Spamroll | Tags: , , , | Share | Sphere | No responses »