mitre.org · Domains · Slashdot Mirror

Re:Missed the point by Anonymous Coward · 2011-08-02 16:37 · Score: 5, Informative · on The Most Expensive One-Byte Mistake

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2510

Re:Better link by tepples · 2011-07-01 03:22 · Score: 3, Insightful · on The Most Dangerous Programming Mistakes

Obviously, not all mitigations on the list apply to all situations. Here are some examples where they wouldn't apply so easily:

Where possible, avoid implementing custom authentication routines and consider using authentication capabilities as provided by the surrounding framework, operating system, or environment.

This can prove cost prohibitive when the authentication capabilities provided by the surrounding operating system are marketed for use only by privileged employees, not by the public. Consider the case of an operating system that charges per user account. (Microsoft calls this the "client access license" model.) One might be tempted to use or create an authentication and authorization library that runs independently of the operating system's own auth facility, so that one needs to buy a system user account for only the web server, not for each member of the public who creates a user account on the web site.

For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders

Say I encrypt the keys that a web server uses to communicate with other web services, such as the key used to communicate with a payment processor. Now how do I store the key to decrypt those keys?

For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.

So how do we prevent an attacker from attacking a system while it is still in "first login" mode?

Clearly specify which data or resources are valuable enough that they should be protected by encryption.

Firesheep shows that this includes users' passwords and cookies containing authenticated session tokens. But with StartSSL having suspended operations and Internet Explorer on Windows XP still not supporting Server Name Indication, how can hobbyist web developers get the certificate and dedicated IPv4 address needed to host an SSL site?

If possible, create isolated accounts with limited privileges that are only used for a single task.

Please see my comment above about the CAL pricing model.

Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form.

If you've ever seen errors about a "form key" on Slashdot, Slashdot is doing exactly this.

Do not use the GET method for any request that triggers a state change.

Is a hit counter a state change?

Use a built-in path canonicalization function (such as realpath() in C)

According to this page: "The realpath() function is not described in the C Standard." It's available only in UNIX, not in Windows.

Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a username is valid or not.

Does this mean don't bounce messages to nonexistent users but instead treat them as delivered and discard them? That would provide a bad user experience for people attempting to contact these users.

Use code signing technologies such as Authenticode.

How does a hobbyist afford the certificate for Authenticode?

For all configuration files, executables, and libraries, make sure that they are only readable and writable by the software's administrator.

Writable I agree with, but readable I'm not so sure. If configuration files are readable only by the adm

Jump to the list by cjjjer · 2011-07-01 03:10 · Score: 1 · on The Most Dangerous Programming Mistakes

Here is the the actual list.

Re:Better link by frinkster · 2011-07-01 01:43 · Score: 5, Insightful · on The Most Dangerous Programming Mistakes

If you'd like to read what the mistakes *are*, instead of a fluff piece that amounts to "oh, they're so awful! And people make them all the time, too!", here's the actual original article: http://cwe.mitre.org/top25/index.html

Is one of the mistakes "Not being able to click on a link"? I would check myself, but I can't click on the link.

Better link by Chris+Mattern · 2011-07-01 01:38 · Score: 5, Informative · on The Most Dangerous Programming Mistakes

If you'd like to read what the mistakes *are*, instead of a fluff piece that amounts to "oh, they're so awful! And people make them all the time, too!", here's the actual original article: http://cwe.mitre.org/top25/index.html

Re:Uh, unless you're a programmer... by lazarusdishwasher · 2011-04-21 09:04 · Score: 1 · on Microsoft Counts Down To XP Death

To quote portions of the Slackware 8.1 change log

Thu Feb 10 21:19:38 UTC 2011
patches/packages/sudo-1.7.4p6-i386-1_slack8.1.tgz: Upgraded.
Fix Runas group password checking.
For more information, see the included CHANGES and NEWS files, and:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0010
(* Security fix *)

Tue Jun 18 10:47:47 PDT 2002
Slackware 8.1-stable is released! :-)

Fri Sep 21 15:01:21 PDT 2001
Started new -current directory. For now, this will be used to hold upgrades to
Slackware 8.0, starting with KDE-2.2.1. I used the long package name format
that's been used in the Slackware ports (name-version-arch-build.tgz) and
which will be the default format in slackware-next.

Have fun!

Windows will not hit the ten year mark until October 25th 2011. How close to ten years old do you want?

Re:What do the experts say? by ledow · 2011-03-10 07:43 · Score: 1 · on Safari/MacBook First To Fall At Pwn2Own 2011

Single example, there are many others.

Privilege separation in the default configuration

http://support.microsoft.com/kb/255281

versus

http://www.losurs.org/docs/tips/sysadmin/bind-nonroot

for DNS, for instance, resulting in things like: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748 giving you "root" access to the server itself.

Re:latest BIND not affected by Bacon+Bits · 2011-02-23 04:30 · Score: 3, Informative · on High Severity BIND Vulnerability Advisory Issued

That's because the latest BIND was released specifically to patch this vulnerability. They just didn't really tell anybody about the vulnerability until after 9.7.3 was released. Don't believe me?

CERT was notified at the end of January.
"Date Notified: 2011-01-24" [ http://www.kb.cert.org/vuls/id/559980 ]

The CVE was reserved in the middle of January.
"Assigned (20110111)" [ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0414 ]

Yet the release notes for 9.7.3 don't mention any fixes which would coincide with this vulnerability:
http://ftp.isc.org/isc/bind9/9.7.3/RELEASE-NOTES-BIND-9.7.3.html

Thanks, ISC, for patching a vulnerability a month after you found out about it and then telling us two weeks later that you did that. That's awesome security procedure there.

Re:Security cookbook? by Gri3v3r · 2011-02-09 04:23 · Score: 1 · on Are You Sure SHA-1+Salt Is Enough For Passwords?

http://cwe.mitre.org/top25/index.html We had been given this URL to check at Security lesson. I found it enlightening.

Re:That's just sad. by Anonymous Coward · 2011-02-04 13:39 · Score: 0 · on Adobe's Reader X Spoils New PDF Attack

PDF reader... sandbox...

A Document Format that needs a sandbox. I don't have a sandbox around my text editor, nor my PNG viewer, nor my MP3 player... Tell me again, why do we need our document formats to be little programming languages?

Image formats or even MP3 you mentioned can be a viable transport for malicious code too. If you think it over well enough, even text files can be used to exploit e.g. your text editor's buff overflow vulnerabilities...

Sea change by wiredlogic · 2011-02-04 09:09 · Score: 4, Informative · on DoD Leads In Federal Open Source Usage

This is a dramatic change from the state of affairs ten years ago when the idea of running Linux and using open source in a secure environment would get you laughed out of the room. MITRE produced a white paper back then that has slowly helped to put the gears of change in motion.

Re:Not Trolling? by metrix007 · 2010-12-17 11:45 · Score: 1 · on Openwall Linux 3.0 — No SUIDs, Anti-Log-Spoofing

Wow, google is hard. Let me help you with that.

Here and Here.

You can see here that it was assigned more than 2 weeks before it was disclosed and started to be patched.

Re:OSNews? Thom Holwerda? Seriously? by onefriedrice · 2010-11-01 18:23 · Score: 1 · on OpenBSD 4.8 Released

Can you find me an example of a hole in SELinux? Even one? I don't mean a flaw in policy affecting some distros, but an actual flaw in the subsystem?

Yes, I accept your challenge. Here is some light reading for you.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=selinux - Obviously not all listed here are flaws in SELinux itself, but there are some.
http://www.zdnet.co.uk/news/security-threats/2009/07/20/linux-exploit-gets-around-security-barrier-39688318/

So, while SELinux might be a good single layer of security (when it works), it certainly isn't impenetrable and should definitely not be viewed as the most important layer of any multi-layered security strategy. It is naive to assume that an OpenBSD system will necessarily be more or less secure without an SELinux equivalent.

Re:Note to linux devs by man_of_mr_e · 2010-10-21 07:59 · Score: 2, Interesting · on RDS Protocol Bug Creates a Linux Kernel Hole, Now Fixed

Of course what you don't know is that this issue has been known by the kernel team and unreported for at least 9 days.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3904

Notice the "Assigned" date, 10/12/2010, that's the date the CVE was created for this flaw and it was likely known and reported several days before that.

What this means is that the kernel team knew of the flaw, it was reported in secret, and they kept it a secret while they researched a fix. So people were vulnerabile for almsot 2 weeks, even though there was a known workaround that would have prevented them from being vulnerable if they had known.

Re:ZoneAlarm was backdoored, right? by Caerdwyn · 2010-09-20 09:21 · Score: 3, Informative · on ZoneAlarm Employs Scare Tactics Against Its Users

CVE-2007-0069

CVE-2010-1893

Though the last one really doesn't count for ZoneAlarm's intended function, as it's a local privilege escalation.

Reference: http://cve.mitre.org/index.html
Search terms: Windows kernel tcp/ip

Re:"Setup required a reboot" by aiht · 2010-09-15 14:44 · Score: 1 · on IE 9 Beta Strips Down For Speed

Back to the main topic, the only time a reboot should be required is a kernel update, and I seriously doubt IE 9 patches the kernel. Reboot to install a browser? Insane.

I can't find a reference, but I believe IE has been known to patch the kernel from time to time.
And considering the things that are implemented in the kernel, it's not so surprising.
Of course, Windows also isn't so good with replacing executable files that are still loaded, so it doesn't quite reach the ideal state of "only time a reboot should be required is a kernel update" anyway. But I suspect you know that.

What are they trying? Not engineering. Not PR. by SgtChaireBourne · 2010-08-29 06:05 · Score: 2, Insightful · on Microsoft's Security Development Process Under CC License

Why waste time publishing that crap? It's not even good for PR because it only serves to highlight the failure. It's only worth is documenting years of fail and we have Mitre and CERT for that. Every generation of Windows has been the model of bad design and insecurity, including Vista and Vista7. Before M$ reps revised it, /. even had a vista failure tag, for the version to come along after tagging was implemented. Otherwise there would have been a special tag for the XP SP2 disaster.

The SDL is what has contributed to very shitty quality. Of course the raw material, the managers and the engineers have to be mentioned as being incapable.

Re:Joomla! by PetiePooo · 2010-04-21 07:30 · Score: 1 · on Simple CMS For Mixed Mac/Windows Team?

A list of 343 vulnerabilities (and growing rapidly) on a 5 year old Joomla component ecosystem is a good reason to be critical of Joomla. The problem with allowing anyone to write components is that anyone will components...

Re:Steve Jobs Has Just Gone Mad by shutdown+-p+now · 2010-04-10 18:24 · Score: 1 · on Adobe Evangelist Lashes Out Over Apple's "Original Language" Policy

You simply can't write a double-free in Java or C#; it's just not possible.

You're correct in the context that is implied here, but broadly speaking, this is not true with respect to C#. Let me clarify for the benefit of those who might not be familiar with technology in question, so that they don't end up with factually incorrect information.

You can absolutely get dangling pointers in C#, for example, or buffer overflows. For example:

class Program { static unsafe void Main() { byte* p = stackalloc byte[100]; // same as alloca in C p[100] = 0; // one-past-the-end access } }

It's actually one of the major differences between Java and C# - the latter does have non-memory-safe constructs (hence the "unsafe" keyword - it is required in the above example).

The output is still managed code, though, in a sense that it is bytecode that "runs under" (i.e. JIT-compiled by) a VM. The difference is that, on runtime level, we talk about "verifiable managed code" and "unverifiable managed code". Any stuff that deals with raw pointers, like the above code sample, is considered unverifiable. Verifiable managed code is basically a subset that is rather close to what Java offers - in particular, it is memory-safe.

(For the sake of completeness - they had a defect in the spec at one point, which resulted in the possibility to produce verifiable but memory-unsafe code - this was CVE-2009-0090 vulnerability, which has since been fixed.)

Now, for obvious reasons, only verifiable managed code can run in a sandbox - such as the one used for WPF browser applications, or Silverlight. Furthermore, it was announced that Windows Phone 7 applications will also run in a sandbox with similar restrictions. I haven't seen a comprehensive list detailing them for WP7, but, playing with the released preview of development tools and emulators for it, it seems that all unverifiable code is indeed rejected. So, to the extent that we're only talking about C# and .NET as used for WP7 development here, your claim is indeed correct.

Re:Welcome to the 20th century by Anonymous Coward · 2010-03-23 14:29 · Score: 0 · on How To Evade URL Filters With (Not-So) Fancy Math

I'm glad Slashdot is here to tell us about these things, or else I might not have found this important security bulletin.

Oh, shit! I'd better patch!

Welcome to the 20th century by Dachannien · 2010-03-23 11:49 · Score: 4, Informative · on How To Evade URL Filters With (Not-So) Fancy Math

I'm glad Slashdot is here to tell us about these things, or else I might not have found this important security bulletin.

Major domains being exploited by Animats · 2010-03-20 04:29 · Score: 4, Informative · on Naming and Shaming "Bad" ISPs

We've been doing something like this at SiteTruth for two years. We have the list of major domains being exploited by active phishing scams. This is simply a list of domains that are both in PhishTank (about 100,000 entries) and Open Directory (about 1.5 million entries). Today, 84 domains are in both. There's been a surge; it was 54 two days ago.

Domains are on this list for one of several reasons.

They had a break-in, and didn't clean it up. Generally, the sites with this problem for long periods are ones without effective contact information, so there's no easy way to tell them about their problem.
They have an open redirector. Those are rare now, but were common two years ago. Yahoo, eBay, and Microsoft Live all used to have open redirectors. After much nagging, and some press coverage, the big players have plugged that hole.
They're a hosting service, especially a free hosting service. Free hosting services need to be very aggressive about checking themselves for exploits. The smarter players now read the PhishTank and APWG feeds automatically, to detect abuses of their own systems. Right now, "t35.com" is suffering from a massive attack, with 227 pages in PhishTank. Their problem is that they're being attacked by a program, but are cleaning up by hand. Every day they kick off hundreds of phishing pages, but they can't keep up. The previous site with the worst problems was "piczo.com" (some kind of social network/hosting service for teenage girls), but they've been gaining on the problem.
They're an ISP There are a few ISPs with phishing sites they just never seem to kick off. Most of the active ones were kicked off long ago. In fact, other than ISPs which are also hosting services, we show only one entry in this category, and it's a DSL line on RoadRunner that redirects to a dead page.
They're a "short URL" service. These are popular as a way to get phishing URLs past spam filters. The "short URL" services have become much more aggressive about kicking off phishing URLs over the last year.

While this is to some extent a "blame the victim" approach, it's more effective than "phishing education" aimed at end users. Hundreds of webmasters have to be educated, not hundreds of millions of end users.

Re:Undefined requirements by tjarrett · 2010-03-02 07:09 · Score: 1 · on Over Half of Software Fails First Security Tests

There is an industry effort to define a "watch list" for common mistakes that lead to security flaws. Co-led by the folks behind the Common Weakness Enumeration at MITRE and the SANS Institute, the SANS Top 25 (full listing here) is being used as a requirements document for the security of purchased applications by the State of New York, among others.

It's not perfect--it omits backdoors and other intentional security flaws, among other categories--but it's better than nothing, by a long shot.

Disclaimer: I work at Veracode and was a co-author of the report that the original article was about.

Re:Undefined requirements by tjarrett · 2010-03-02 07:09 · Score: 1 · on Over Half of Software Fails First Security Tests

There is an industry effort to define a "watch list" for common mistakes that lead to security flaws. Co-led by the folks behind the Common Weakness Enumeration at MITRE and the SANS Institute, the SANS Top 25 (full listing here) is being used as a requirements document for the security of purchased applications by the State of New York, among others.

It's not perfect--it omits backdoors and other intentional security flaws, among other categories--but it's better than nothing, by a long shot.

Disclaimer: I work at Veracode and was a co-author of the report that the original article was about.

Re:Aarghhhh by dkf · 2010-02-26 01:28 · Score: 1 · on Anatomy of a SQL Injection Attack

It is more difficult to make a site that allows some people to provide content including html and script, and still prevent evil content to enter your database / pages.

The issue there is that you're allowing that at all (see CWE-79). The solution is to not allow general HTML/script input from non-trusted sources (i.e., they can upload new HTML with sftp, but not through a web form) and instead support some greatly restricted syntax (e.g., bbcode or wikisyntax) that is easy to convert to guaranteed fang-free content. And use a proper templating library for output of content from the database instead of hacking things.

Re:But better than not finding out at all. by sabt-pestnu · 2010-02-18 13:27 · Score: -1 · on Microsoft Confirms Update-Linked BSODs Required Compromised Machines

In many ways, this is just a variant on Download of Code Without Integrity Check. In this case, failing to validate the libraries not included in the download.

"It's a microsoft system. Obviously all the libraries on it are the ones we put there. Obviously the system hasn't been modded."

Examples contain bugs... by kleuske · 2010-02-18 00:20 · Score: 1 · on The 25 Most Dangerous Programming Errors

The fun thing is that i've found at least three bugs in their example code other than the ones MITRE intended to illustrate. The most glaring of which would prevent the code from even getting compiled. http://cwe.mitre.org/data/definitions/805.html void host_lookup(char *user_supplied_addr){
struct hostent *hp;
in_addr_t *addr;
char hostname[64];
in_addr_t inet_addr(const char *cp);
/*routine that ensures user_supplied_addr is in
the right format for conversion */
validate_addr_form(user_supplied_addr);
addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
strcpy(&hostname, hp->h_name);
}
The final strcpy will not work, since the first parameter is a pointer-to-pointer-to-char, instead of pointer-to-char.

Re:Just Show Me the List!! by nprz · 2010-02-17 16:35 · Score: 1 · on The 25 Most Dangerous Programming Errors

Looking at http://cwe.mitre.org/data/definitions/22.html#Related_Attack_Patterns, I wonder who generated their examples:

The program would generate a profile pathname like this: /users/cwe/profiles/../../../etc/passwd

When the file is opened, the operating system resolves the "../" during path canonicalization and actually accesses this file: /etc/passwd

As a result, the attacker could read the entire text of the password file.

Big fucking deal of the attacker reading the passwd file. On my machine, it is 644 and I'm pretty sure it needs to be readable to function.
Maybe if they wrote shadow file, I'd give them more credit.

Just Show Me the List!! by QuantumG · 2010-02-17 14:28 · Score: 5, Informative · on The 25 Most Dangerous Programming Errors