Slashdot Mirror

So much shit. So much commentary. Just gimme the list? Here it is:

1. Failure to Preserve Web Page Structure ('Cross-site Scripting')
2. Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4. Cross-Site Request Forgery (CSRF)
5. Improper Access Control (Authorization)
6. Reliance on Untrusted Inputs in a Security Decision
7. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
8. Unrestricted Upload of File with Dangerous Type
9. Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
10. Missing Encryption of Sensitive Data
11. Use of Hard-coded Credentials
12. Buffer Access with Incorrect Length Value
13. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
14. Improper Validation of Array Index
15. Improper Check for Unusual or Exceptional Conditions
16. Information Exposure Through an Error Message
17. Integer Overflow or Wraparound
18. Incorrect Calculation of Buffer Size
19. Missing Authentication for Critical Function
20. Download of Code Without Integrity Check
21. Incorrect Permission Assignment for Critical Resource
22. Allocation of Resources Without Limits or Throttling
23. URL Redirection to Untrusted Site ('Open Redirect')
24. Use of a Broken or Risky Cryptographic Algorithm
25. Race Condition

So much shit. So much commentary. Just gimme the list? Here it is:

1. Failure to Preserve Web Page Structure ('Cross-site Scripting')
2. Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4. Cross-Site Request Forgery (CSRF)
5. Improper Access Control (Authorization)
6. Reliance on Untrusted Inputs in a Security Decision
7. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
8. Unrestricted Upload of File with Dangerous Type
9. Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
10. Missing Encryption of Sensitive Data
11. Use of Hard-coded Credentials
12. Buffer Access with Incorrect Length Value
13. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
14. Improper Validation of Array Index
15. Improper Check for Unusual or Exceptional Conditions
16. Information Exposure Through an Error Message
17. Integer Overflow or Wraparound
18. Incorrect Calculation of Buffer Size
19. Missing Authentication for Critical Function
20. Download of Code Without Integrity Check
21. Incorrect Permission Assignment for Critical Resource
22. Allocation of Resources Without Limits or Throttling
23. URL Redirection to Untrusted Site ('Open Redirect')
24. Use of a Broken or Risky Cryptographic Algorithm
25. Race Condition

So much shit. So much commentary. Just gimme the list? Here it is:

1. Failure to Preserve Web Page Structure ('Cross-site Scripting')
2. Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4. Cross-Site Request Forgery (CSRF)
5. Improper Access Control (Authorization)
6. Reliance on Untrusted Inputs in a Security Decision
7. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
8. Unrestricted Upload of File with Dangerous Type
9. Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
10. Missing Encryption of Sensitive Data
11. Use of Hard-coded Credentials
12. Buffer Access with Incorrect Length Value
13. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
14. Improper Validation of Array Index
15. Improper Check for Unusual or Exceptional Conditions
16. Information Exposure Through an Error Message
17. Integer Overflow or Wraparound
18. Incorrect Calculation of Buffer Size
19. Missing Authentication for Critical Function
20. Download of Code Without Integrity Check
21. Incorrect Permission Assignment for Critical Resource
22. Allocation of Resources Without Limits or Throttling
23. URL Redirection to Untrusted Site ('Open Redirect')
24. Use of a Broken or Risky Cryptographic Algorithm
25. Race Condition

. . . to the list, instead of an article discussing the list: Link

He is talking about this vulnerability: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249

Which works up to win7 with ie8.

Two bugs were found in their image libraries (arbitrary code execution bugs in TIFF and RAW-DMG). Makes me wonder if they even tested their image libraries at all when they were being written, because that kind of bug can usually be found in an image library by feeding it random data.

Well, that's odd - one of those bugs is CVE-2009-2285: Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2

5) Every vendor seems to have their own names for a virus. For pity sake can we have some kind of standard naming mechanism?

You mean like some sort of common malware enumeration?

If you read more you'll find that this isn't the default setting, so "out of the box" this doesn't happen. So yeah, you're talking BS once again.

Do you understand what this bug does? It causes an infinite loop. It's a DoS. A silly one to let creep into the system, but not the most critical of problems.

Attacks will be most limited to those within the LAN (as having 139 or 445 accessible outside of the network would be strange).

Is this what your argument has descended too? Point out bugs? Do I have a good refute if I show some silly bugs from Mac OS X.

Here is an infinite loop DoS bug that existed in AFP (Apple Filing Protocol): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0142

Probably should have been caught a lot earlier. And didn't require fuzzing/analysis to find (because it happened naturally in production).

I believe the vuln being talked about here is actually CVE 2009-3547 (though full details aren't yet available on the MITRE site). If you google that number, you'll find the Red Hat patches.

Well, there's always MITRE Common Vulnerabilities and Exposures, which is a good pretty much dupe-free index of reported vulns. Most professional discussions of vulnerabilities tend to use CVE references.

For instance, this particular vuln looks like CVE 2009-2695. The one discussed in the July /. article appears to be CVE 2009-1897.

The CVE pages are pretty good, complete with cross references to discussions and some pretty detailed analysis of the vulnerability.

Well, there's always MITRE Common Vulnerabilities and Exposures, which is a good pretty much dupe-free index of reported vulns. Most professional discussions of vulnerabilities tend to use CVE references.

For instance, this particular vuln looks like CVE 2009-2695. The one discussed in the July /. article appears to be CVE 2009-1897.

The CVE pages are pretty good, complete with cross references to discussions and some pretty detailed analysis of the vulnerability.

Well, there's always MITRE Common Vulnerabilities and Exposures, which is a good pretty much dupe-free index of reported vulns. Most professional discussions of vulnerabilities tend to use CVE references.

For instance, this particular vuln looks like CVE 2009-2695. The one discussed in the July /. article appears to be CVE 2009-1897.

The CVE pages are pretty good, complete with cross references to discussions and some pretty detailed analysis of the vulnerability.

to the ones that hacked their web page and put that fake list of awards.

Come on, "experts" that calls Linux a "vendor"? That called "overhyped" the bug that enabled Conflicker to do the biggest massive infection of PCs since 2003? Their link to the "backdoored redhat openssh" (that was already discussed here that wasnt) actually links to an advisory about a Windows remote rpc vulnerability.

Of course, the alternative is that their page is how it was meant to be, and in that case Hanlon would have the real explanation of what happened.

Flash is now among the top attack vectors for Windows, and it isn't even covered by Windows Update.
There were 23 reported security issues in the last 2 years, including at least 4 browse-and-get-owned vulnerabilities.
In comparison, Silverlight has had no security bulletins since its 1.0 release (it's now at 3.0).
This may be just yet another reason to migrate to Silverlight, especially for intranet applications.

The thing I keep seeing is lazy DISA auditors that see the STIG's as black and white. Most of the testers I've run into aren't technical people. They run the automated SRR scripts and ding you for having your kernel version out of spec. If I were to sit them down and ask why a particular control was an open finding they'd tell me "Because the STIG said so" without digging deeper as to why.

The most recent test I was on, the testing team hit the sys admins for an out of date Kernel on a VMWare ESX box. VMWare uses a highly customized version of RHEL. Installing the most recent Kernel would turn the box into a paperweight. The best advice I can give you is to first check with the tester to find out exactly what the vulnerability is and what their recommended fix action is. Depending on your tester you may be wasting your time. I've see far too many tester leave comments like "Not up to STIG compliance". Check with your vendor to see if they have issued a patch to address that vulnerability. Once you have that information you can place your comments into a POA&M and go back to your DAA and explain why a given open finding isn't really a finding and/or won't be fixed. You can also look into mitigation factors to see if you can reduce the severity. Many controls will state "If you're doing X, Y and Z this finding may be reduced from a CAT I to a CAT II".

Good luck with your C&A and be glad you're not on the documentation side of things :^)

The virus itself is a complicated one. As per the article, it was installed on the system during a mass exploit dubbed Nine-Ball, which was loaded onto 40,000 legitimate websites. Visiting those sites caused the Nine-Ball script to execute, which redirected an iframe to a page containing malicious code which mounts a series of attacks. Those mentioned by the site are:

• Exploit MS06-014, which targets the MDAC ActiveX control
• Exploit CVE-2006-5820, which targets the AOL SuperBuddy ActiveX control
• [Some] targeting Acrobat Reader"
• [Some targeting] QuickTime

So basically, an application (browser) visits this malicious page. If that application runs the ActiveX controls mentioned (and presumably Acrobat Reader and/or QuickTime), it was vulnerable to the initial Nine-Ball exploit. IE qualifies for all 4 of those; Firefox can use ActiveX (I believe, with a plugin), but not out of the box... however, it does have plugins for Acrobat Reader and QuickTime.

If any of those vulnerabilities were present with the applicaton visited the iframe, it runs malicious code that installs a crapton of viruses on the host computer, among them the FFSearcher virus.

Once FFSearcher is on your computer, it causes itself to get run all of the time, probably as Administrator. It then proceeds to:

1. Executes a Windows root-kit to hide its presence
2. Injects code into browser application processes; for IE, it will inject an IE-specific payload, and for Firefox, it will inject a Firefox-specific payload. Each payload causes the infected browser to do all the malicious redirecting that is described in lower-level detail in the article.

So a nice, clean, and secure IE / Firefox get started up, but Windows, itself infected, loads the virus into them! No vulnerabilities are exploited, here. Since FFSearcher runs as Administrator, everything it does is straightforward and allowed by the system; it can do basically anything. What it chooses to do is target IE and Firefox. Since it's running as Administrator, it doesn't have to exploit any vulnerabilities in either; it just barges in and rewrites parts of them to do its bidding. Administrator can do things like that.

In conclusion, there isn't any vulnerability in IE or Firefox that's involved in FFSearcher, and the only reason FFSearcher doesn't pwn other browsers is because the author didn't bother to write a payload for them, too. FFSearcher, itself, was installed due to some browser vulnerability that happened sometime, and now, permanently present on the system, takes advantage of its Administrator privileges to do some pretty wicked stuff.

Firefox and IE are the targets of the trojan once it already has control over your computer. That doesn't mean they are "vulnerable" or are in need of patches.

Only the last link in the Slashdot article discusses how these attackers gained control over your computer:

After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate.

So, basically an IE hole that was fixed in 2006, plus a handful of plugin vulnerabilities. They didn't even bother looking for an old Firefox vulnerability to exploit, perhaps because too many Firefox users are up-to-date.

"that old nas easily infected 20 other machines - including machines which were shipped to hospitals because they will not allow us to install virus scanners"

Interesting, would these other machines have been protected if they did have AV installed. See here where they refer to an arbitrary code execution during path canonicalization'. I think they mean a buffer overflow in the RPC service.

Yes, it's so feature compatible with adobe, they've added similar exploits! http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1104

What!

Where have you been for the last decade? Pay attention!

http://www.kb.cert.org/vuls/byid?searchview&query=isc%20bind

http://www.kb.cert.org/vuls/byid?searchview&query=djbdns

18 v. 0? And you're looking for what kind of "authority" to make this judgement for you?

(For full disclosure, there is now a single candidate (by-design) vulnerability listed with the CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4392)

'My question to you is what parts of Internet Explorer were "embedded into the kernel"'

The actual words were 'core OS kernel'. The core rendering engine and the help system for two. Reasons why it's impossible to uninstall it without breaking something, not that there is even that option.

"While browser exploits do exist and are important to guard against, a vast majority of problems that exist out there are user-initiated"

How does the end-user protect against a malicious website or email attachment? Or something that don't require user action like the Conficker worm

"What worms or trojans hook into the kernel of the OS?"

The viruses, worms or trojans don't hook, what happens is that the browser invokes an ActiveX control that basically runs as native code on the user's machine. All well and good unless it's malicious at which point the malware owns your computer.
--

A bit of a typo and it might read better like this:

"Run the Browser in an isolated process using a restricted set of system calls and sandbox from the rest of the system. In other words don't do what *they* did with Internet Explorer and embed it into the core OS"

Clam's a death trap.

Nonsense. Dr Evil can't script a Mozilla extension to instantiate and execute random code he's given it. Let me save you the time and search the CVE for exploitable bugs in ActiveX controls:

There are 627 CVE entries or candidates that match your search.

Interestingly, the US has had, for several decades, a system which can detect UFOs - GEODSS, the Ground Based-Electro-Optical Deep Space Surveillance System. Each GEODSS site (there are three currently active, plus a mobile unit) has a pair of 40-inch telescopes. These were the first fully computerized telescopes, working since the 1980s. The telescopes scan the sky every night. They can detect moving bright objects as streaks, but there's more capability than that. They have a star atlas, and know what should be in each image, so anything that shouldn't be there is detected. If a known star is missing, that's interesting too; it may indicate a dark object. There are two telescopes, so for low-orbit objects, they can get parallax. Multiple sites can be coupled together to get parallax on more distant objects. They can even use one telescope with a laser to illuminate satellites while taking a picture with the other. This is how the USAF finds new satellites, near-earth asteroids, and nonmetallic space junk. The system was recnelty upgraded to use CCD imagers (it used to be tube camera based) and to use better alignment algorithms, so it's now both more sensitive and more accurate.

This is all tied to NORAD in Colorado Springs. GEODSS knows what an incoming ICBM trajectory looks like, and if it ever sees one, NORAD gets notified, without any action from the GEODSS site operators.

GEODSS is a real, live, functional UFO detection system that's been running for decades. If anything big enough to be interesting was anywhere near the planet for more than a few hours, it would be noticed. Even the target didn't reflect radar or light, it could be detected because it would occasionally occult a star.

This seems very clunky and hacky, but I suspect that the speakers at the OWASP talk have gotten this technique to work well enough so that it is both transparent and highly effective. Can you think of a website that needs you to click, say, a play button in order to view content? That click may be hijacked through an invisible iframe to execute an action on another website.

So, how is this essentially different from CVE-2004-0762, fixed in Firefox four years ago? Okay, they might have found new attack scenarios, but the technique seems to be rather old.

You mean Debian's broken Random Number Generator?
No, the bug is unrelated, and has to do with X11 forwarding in SSH tunnels. It's considered low severity.
Link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4752

Why reinvent the wheel when you can just use the Common Vulnerabilities & Exposures (CVE) list. This list provides common names for publicly known information security vulnerabilities. Any software that's on the CVE gets removed from your list of approved software. People already did the work, why not leverage it?

Uhh.. what?

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747

"allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules."

That seems critical to me. Also, while a patch may appear in CVS/SVN within a week, it typically doesn't make it out to the distro users for several weeks afterwards. For instance, this flaw was published on July 6th, but it didn't make it to (for example) Debian until August 1st. http://www.debian.org/security/2006/dsa-1131

I don't really trust the way that apache categorizes their vulnerabilities as they list a DoS attack as critical, but a remote arbitrary code execution flaw as "important". So who knows.

Nominees

• Best Server-Side Bug
• Best Client-Side Bug
• Mass 0wnage
• Most Innovative Research
• Lamest Vendor Response
• Most Overhyped Bug
• Best Song
• Most Epic FAIL
• Lifetime Achievement Award

We received 134 submissions for the Pwnie Awards, of which we've selected 37 nominees. Please select an award category from the list above to see the nominees.

The winners of the Pwnie Awards will be anounced on August 6, 2008 at a ceremony at the BlackHat USA conference in Las Vegas.

Pwnie for Best Server-Side Bug

Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

• Windows IGMP kernel vulnerability (CVE-2007-0069)

  Discovered by: Alex Wheeler and Ryan Smith

  Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.

• NetWare kernel DCERPC stack buffer overflow

  Discovered by: Nicolas Pouvesle

  At REcon 2008, Nicolas Pouvesle demonstrated some amazing NetWare-Fu with his kernel exploitation techniques and staged payloads for a stack overflow in the DCERPC stack in the NetWare kernel. Besides impressing everyone at the conference (not to mention all of the Quebecois women around Montreal), he also struck fear into the hearts of NetWare administrators everywhere. All three of them.

  This vulnerability also shows how there can often be similar vulnerabilities in different implementations of the same functionality. And when a vulnerability in one implementation is found and fixed, similar bugs in other implementations may go unnoticed for a while. What does it take to make a vendor like Novell audit their DCERPC code for simple vulnerabilities? A widespread worm exploiting a stack overflow in the Microsoft DCERPC stack, crippling large portions of the Internet, and supposedly causing a blackout of the entire East Coast of the USA? Apparently not.

• ClamAV Remote Command Execution (CVE-2007-4560)

  Discovered by: Nikolaos Rangos

  This vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus's Law clearly does hold: "Given enough eyeballs, all bugs shallow", even the ones that we knew about fifteen years ago.

• SQL Server 200

Nominees

• Best Server-Side Bug
• Best Client-Side Bug
• Mass 0wnage
• Most Innovative Research
• Lamest Vendor Response
• Most Overhyped Bug
• Best Song
• Most Epic FAIL
• Lifetime Achievement Award

We received 134 submissions for the Pwnie Awards, of which we've selected 37 nominees. Please select an award category from the list above to see the nominees.

The winners of the Pwnie Awards will be anounced on August 6, 2008 at a ceremony at the BlackHat USA conference in Las Vegas.

Pwnie for Best Server-Side Bug

Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

• Windows IGMP kernel vulnerability (CVE-2007-0069)

  Discovered by: Alex Wheeler and Ryan Smith

  Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.

• NetWare kernel DCERPC stack buffer overflow

  Discovered by: Nicolas Pouvesle

  At REcon 2008, Nicolas Pouvesle demonstrated some amazing NetWare-Fu with his kernel exploitation techniques and staged payloads for a stack overflow in the DCERPC stack in the NetWare kernel. Besides impressing everyone at the conference (not to mention all of the Quebecois women around Montreal), he also struck fear into the hearts of NetWare administrators everywhere. All three of them.

  This vulnerability also shows how there can often be similar vulnerabilities in different implementations of the same functionality. And when a vulnerability in one implementation is found and fixed, similar bugs in other implementations may go unnoticed for a while. What does it take to make a vendor like Novell audit their DCERPC code for simple vulnerabilities? A widespread worm exploiting a stack overflow in the Microsoft DCERPC stack, crippling large portions of the Internet, and supposedly causing a blackout of the entire East Coast of the USA? Apparently not.

• ClamAV Remote Command Execution (CVE-2007-4560)

  Discovered by: Nikolaos Rangos

  This vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus's Law clearly does hold: "Given enough eyeballs, all bugs shallow", even the ones that we knew about fifteen years ago.

• SQL Server 200

I was going to say that IE seems to be getting slowly less buggy, but a quick check with CVE shows that's not quite true... I must have got that impression from MS' habit of rolling up fixes for lots of bugs into single patch / update. The bastards.

One problem that I've seen in Perl is that some Linux vendors have been making their own fixes, but never sent them upstream to the Perl core to be applied. Its bad when its a normal bug fix. When its a security fix, its unacceptable.

Older than you think, perhaps.

What really gets me is that every couple of years the University of Oulu Secure Programming Group comes out with another few dozen application vulnerabilities they've found by just fuzzing a new protocol. First they did SNMP, the ASN (part of OpenSSL, to a first approximation), H.323 ... I don't know who's got tenure over there, but damn! I'm glad they're on our side.

Seems if they'd kept their whiny mouths shut, nobody would have realised from the vulnerability disclosure that the issue affects Opera. Now EVERYONE knows, from the kiddie scripting 'sploits to the IT manager planning the software deployment for the next few months, who is now seeing why closed-source Opera isn't really such a great choice after all. Even the CVE entry doesn't disclose Opera's vulnerability to this bug. Still, it makes good comedy if nothing else...

No one I know, nor me, use openDNS, right now, BUT, I am looking into pointing to it for my systems, and my clients. It looks VERY interesting.

Ahhahah! How up to date are openDNS machines? I would guess sate of the art, but let me poke around their DNS server...Well, the pokeing indicates that security is at the higest levels, ( of course ), and I have opened a discussion with them regarding their maintenence.

BIND is currently at 9.4.2, and 8.2.x was the one vunerable, and IIs

Hehe! Look at this:

http://vdb.dragonsoft.com/detail.php?id=3028

"ISC BIND 9 - 9.5.0a are exist remote cache poisoning vulnerability, caused by the DNS query ID generation code."

This site:

http://www.kb.cert.org/vuls/id/927905

Lists Microsoft Windows as 'Not Vunerable"

"Thank you for the heads up. While we do use the BIND protocol, we have our own implementation so these implementation-specific vulnerabilities should not affect us."

But of course, this proves that the above is a mistatement...

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3898

"The DNS server in Microsoft Windows 2000 Server SP4, and Server 2003 SP1 and SP2, uses predictable transaction IDs when querying other DNS servers, which allows remote attackers to spoof DNS replies, poison the DNS cache, and facilitate further attack vectors."

The Patch for servers is:

http://www.microsoft.com/technet/security/bulletin/ms07-062.mspx
( Nice of them to patch a vunerability that they claim they dont have! )

Well, I think limiting "science" to "analysis" is both A) part of a larger cultural trend and B) a philosophical and cognitive dead end.

For the past who-knows-how-long, literary study has been dominated by "analysis" via deconstruction. Deconstructing literature (or sculpture, or Allman Brothers lyrics, or published military doctrine) is a phenomenally valuable tool. But it's a tool. It's not the desired end state. It's funny because as part of a larger cultural trend deconstruction is not too different from the current views in science and engineering fields, yet scientists and engineers still talk down to literary critics.

I think where it's most obvious is in a lack of imagination in our scientific and political discourse...I think it's led to some seriously bad juju in the past, oh, 6 years, notably the failure of the American intelligence community to react against the demands of the executive branch in preparing to go to war. Check out this talk on the subject. The author points out how the way we discuss, think about, and model groups is inadequate, and draws heavily upon bioinformatics--wherein synthesis is at least as important as analysis, if not more.

Bodnar says to his students, "What do you call half a fruit fly? Dead!" I think the same applies to the way people try to analyze the world today. Synthesis is not a "tool for analysis," it's half of a loop (with analysis comprising the other half) that we use to build knowledge.

CVE-2005-4459:

Heap-based buffer overflow in the NAT networking components vmnat.exe and vmnet-natd in VMWare Workstation 5.5, GSX Server 3.2, ACE 1.0.1, and Player 1.0 allows remote authenticated attackers, including guests, to execute arbitrary code via crafted (1) EPRT and (2) PORT FTP commands.

You don't even need to be root in the guest VM.

The summary makes me think it is some kind of stack smashing attack; probably an integer overflow. These can occur in the PDF parsing code, before you even have to look at features like scripting. On the other hand, if PDF is anything like PostScript here, and I believe it is, it is a programming language itself, which might lead to exploitable situations.

Also, an integer overflow was recently found and fixed in xpdf. This could be the same bug.

This is CVE-2007-4324.

Here's a free clue.

MITRE CVE records for IIS: (161 records found.)
MITRE CVE records for Apache: (272 records found.)

The unpalatable truth is that MS have spent a LOT of effort improving IIS security. Do you know how many remote root vulns have been found in IIS v6?

Slashbots... I swear...

BTW This comment comes from a Stinkpad running Mandriva 2007 via a lot of Linux-powered infrastructure. And yes I'd rather stick rusty nails in my eyes than use ASP.NET instead of Perl. However business users seem to find .NET, C#, VisualStudio et al to be more productive of better, quicker, more reliable and safer code than Apache. (Given the torrent of PHP bugs on Bugtraq in the last few years, I'm not surprised.) The great hope for me, and many others I suspect, was Perl 6 -- tragically Perl seems to be withering on the vine in the face of user apathy, absurdly long & over-ambitious dev cycle for Perl6 (where are we now, year 6?)

Here's a free clue.

MITRE CVE records for IIS: (161 records found.)
MITRE CVE records for Apache: (272 records found.)

The unpalatable truth is that MS have spent a LOT of effort improving IIS security. Do you know how many remote root vulns have been found in IIS v6?

Slashbots... I swear...

BTW This comment comes from a Stinkpad running Mandriva 2007 via a lot of Linux-powered infrastructure. And yes I'd rather stick rusty nails in my eyes than use ASP.NET instead of Perl. However business users seem to find .NET, C#, VisualStudio et al to be more productive of better, quicker, more reliable and safer code than Apache. (Given the torrent of PHP bugs on Bugtraq in the last few years, I'm not surprised.) The great hope for me, and many others I suspect, was Perl 6 -- tragically Perl seems to be withering on the vine in the face of user apathy, absurdly long & over-ambitious dev cycle for Perl6 (where are we now, year 6?)

They probably just sent him the warrant as a PDF.

In government contracts to write software, it is usually a lot worse. All too frequently, especially on time-and-materials contracts, the man with the money has friends that are likely to loose a job if they don't get some work to do. The money man invents a project (this is nothing new) for the contractor to do (the lead contractor is an old friend or former government from way back when). The contractor silently develops this product. Eventually, they finish phases of it and the money man has to show the money providers what the money got them, so they do a review. No one ever writes a bad review of software they paid good money to have custom written. It always slices bread too. Money man believes this software is so good, he convinces the local chief scientist or CIO-rep that this software should be mandated by the enterprise. Other departments hear about this project and cry foul because this software only (poorly) solved problems A and C. In fact, this contractor did it so poor, that outsiders recognize why the contractor was in fear of losing their job: they suck at what they do, they charge too much, and everyone had moved on to having their problems solved by other means or software developers. But, this contractor is a "big industry player" and shouldn't be embarassed, and the political structure won't tolerate embarassing either the contractor who mostly did what was asked, even if poorly, nor the money man who did it only to see that a friend didn't lose his job. Eventually, they get it talked up nice and good and the project couldn't die if you tried.

An indirect reference to the project name: Congressional Hearing, look for the phrase "multilevel access". A paper on the software has been written, all glossed up to make a one-trick piece of software, doing a half-assed job at multilevel access (NOT ACCREDITED BY ANYBODY), and is available as a PDF.

It appears to be referring to the GIF exploit, which was patched a couple of months ago.

The problem is that most Java enterprise software winds up becoming tightly coupled with a specific JVM. (In Oracle's case, a good half-dozen *different* JVMs!) You can't upgrade the JVM without breaking the enterprise app (trust me, I tried, they really work only with the specific JVM shipped), so you're left with vulnerable JVMs and no way to upgrade them. I don't have a solution to that problem.

It appears to be referring to the GIF exploit, which was patched a couple of months ago.

The problem is that most Java enterprise software winds up becoming tightly coupled with a specific JVM. (In Oracle's case, a good half-dozen *different* JVMs!) You can't upgrade the JVM without breaking the enterprise app (trust me, I tried, they really work only with the specific JVM shipped), so you're left with vulnerable JVMs and no way to upgrade them. I don't have a solution to that problem.

According to CVE-2007-2788 and CVE-2007-2789 any version of Java before "1.5.0_11-b03" and "1.6.x before 1.6.0_01-b06".

According to CVE-2007-2788 and CVE-2007-2789 any version of Java before "1.5.0_11-b03" and "1.6.x before 1.6.0_01-b06".

It looks like AusCERT has published on their page about this:

Quoted from
AL-2007.0071 -- [Win][Linux][Solaris] -- Sun Java Runtime Environment vulnerability allows remote compromise

      1. Impact

      A buffer overflow vulnerability in the image parsing code in the Java
      Runtime Environment may allow an untrusted applet or application to
      elevate its privileges. For example, an applet may grant itself
      permissions to read and write local files or execute local
      applications that are accessible to the user running the untrusted
      applet.

      A second vulnerability may allow an untrusted applet or application to
      cause the Java Virtual Machine to hang.

      Sun acknowledges, with thanks, Chris Evans of the Google Security
      Team, for bringing these issues to our attention.

      These issues are also referenced in the following documents:

      CVE-2007-2788 at
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-2788

      CVE-2007-2789 at
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-2789

It looks like AusCERT has published on their page about this:

Quoted from
AL-2007.0071 -- [Win][Linux][Solaris] -- Sun Java Runtime Environment vulnerability allows remote compromise

      1. Impact

      A buffer overflow vulnerability in the image parsing code in the Java
      Runtime Environment may allow an untrusted applet or application to
      elevate its privileges. For example, an applet may grant itself
      permissions to read and write local files or execute local
      applications that are accessible to the user running the untrusted
      applet.

      A second vulnerability may allow an untrusted applet or application to
      cause the Java Virtual Machine to hang.

      Sun acknowledges, with thanks, Chris Evans of the Google Security
      Team, for bringing these issues to our attention.

      These issues are also referenced in the following documents:

      CVE-2007-2788 at
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-2788

      CVE-2007-2789 at
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-2789