Slashdot Mirror

Seriously?

There's a long, long history of people who should know better brushing off vulnerabities as impractical, unproven, theoretical, etc and being shown to be very wrong. "Panic" is a bit of a strong word, but you have to be seriously ignorant to brush off something like this with a "don't worry, there's no exploit".

Perhaps you're not familiar with how security research works. Stopping at "is this being exploited in the wild now?" is shortsighted.

For some background, read:
https://blog.osvdb.org/2017/08...
(about "L0pht, Making the theoretical practical since 1992." )

Over ten percent of their vulnerabilities are reported by outsiders. That's a justification. That makes the 90% that's crap worthwhile.

OSVDB reports 3,700 vulns in Oracle products. If that's 10% of the total (the rest are Oracle-internal) as Davidson claims that means Oracle products have around 40,000 security vulns in them.

Someone earlier mentioned that Oracle products are the security equivalent of Swiss cheese, but with 40,000 vulns it's more like chicken wire, or maybe a small keep out sign in the corner.

Open Sourced has a different meaning in the context they use it, they are talking about how they get their data from many sources including volunteers.

http://osvdb.org/osvdb_license

open "sourced", not "open source."

http://osvdb.org/about

I was confused about how someone could be charged for access to "open source" information...

Here's the NPO, with two officers, backing it:
http://opensecurityfoundation....

I noticed that convenient typo, too. It's amazing how much of a difference one little d at the end of a word can make. Makes me almost want actual editors on slashdot instead of these uneducated rogues.

open "sourced", not "open source."

http://osvdb.org/about

I was confused about how someone could be charged for access to "open source" information...

Here's the NPO, with two officers, backing it:
http://opensecurityfoundation....

There are a surprisingly large number of public key generators with weak random number generators:

• "Debian OpenSSL Package Random Number Generator Weakness"
• "Flaw Found in an Online Encryption Method"
• "NetBSD Intel Hardware Random Number Generator (RNG) Failure Encryption Weakness "
• "PasswordSafe 3.0 weak random number generator allows key recovery attack"

And those are the ones we know about.

For open source systems, the person or persons who inserted the weak code should be identified and kicked off the project. It may just be incompetence, but that's a good reason to keep them out of security-critical areas.

Weak keys don't just let the NSA in. They let the People's Liberation Army of China in, too.

PHP and Apache are both outdated on their (RIAA) website with both an HTTP Trace method vulnerability and PHP vulnerability : http://osvdb.org/show/osvdb/12184 http://osvdb.org/show/osvdb/877


"Religion is something left over from the infancy of our intelligence, it will fade away as we adopt reason and science as our guidelines." --Bertrand Russell

PHP and Apache are both outdated on their (RIAA) website with both an HTTP Trace method vulnerability and PHP vulnerability : http://osvdb.org/show/osvdb/12184 http://osvdb.org/show/osvdb/877


"Religion is something left over from the infancy of our intelligence, it will fade away as we adopt reason and science as our guidelines." --Bertrand Russell

http://osvdb.org/searchdb.php?action=search_title& vuln_title=qmail&Search=Search

I was covering all DJB's software, not just $somethingdns. Just because it's written by djb, doesn't mean it's secure.

Along with any number of other good answers, I'd also point out that Microsoft has a very poor security track record and is hardly in a position to be making ominous threats about other people's security.

Here's a search for "Microsoft" on the Open Source Vulnerability Database. ("Open Source" here refers to the nature of the database, not covering only open source products.) Pop in any other large closed-source vendor you can think of and you'll find something. ("Oracle" is another personal favorite. It may have "Enterprise-class" performance, which I can't vouch for either way having never used it, but it sure doesn't have "Enterprise-class" security.)

I think the main problem with the implied argument is that you don't need source code to find security vulnerabilities (in fact it might not even be helpful given the other cracking techniques you can use), but you do need it to fix them, with rare exceptions.

First of all, ISS's vulnerability scanner has turned to such a piece of dog doo, I wouldn't touch it with a poop scooper. In 2005, it was installing an vulnerable MSDE onto windows boxes, and just patching the MSDE was enough to break compatibility (This vulnerability has been out for 3 months at the time). On the product side though, ISS's scanners have been thoroughly stomped by Tenable's Nessus and Eeye's Retina.

As far as ISS goes on the IDS/IPS side, their products went from leader to lackluster. Snort, Tipping point, and Intrushield - need I say more?

Then on the vulnerability database side, you have the X-Force DB being demolished by the innovative Open Source Vulnerability Database led by real security gurus like Jericho, not to mention the other DBs like Secunia, NVD, etc.

ISS = vaguely reminds me of CA, corporate types taking good products and not keeping them updated, not innovating, and just trying to suck the blood from corporate customers.

Given the effort required to be able to offer support on a third party distro I wonder if over time Oracle will come to the conclusion they can provide their own distro as easily as carry out support for distro over which they have no/limited control.

w00t! Then I could wait three years for an OS patch as well. Where do I sign up?

I don't see why everyone is so critical of PHP.

An ideal programming environment makes it easier to do the right thing than the wrong thing, makes easy things easy, and hard things possible.

The latter two PHP does a tolerable job on, considering what it is. It's not a good job by any means, but there are worse.

Where people like me start bagging on PHP is that for a very long time, PHP just about forced you to do the wrong thing. Then, they'd fix the wrong thing by adding another wrong thing. Then, they'd add backwards compatibility options for the first two wrong things, which set incorrectly constituted a new wrong thing entirely, and added a fourth wrong way to do something.

The canonical example of this was their handling of the construction of strings to go to the database. A number of wrong answers were provided. At least some of them are now deprecated and scheduled for total removal, but at least some of them remain, and I'm not sure that the officially supported libraries support the right answer even now. Even if they do, it took them way too many programmer years to get around to it.

Finally, after ignoring the people who knew what they were talking about for nigh unto a decade, PHP finally implements something sort of like the right thing, albeit making it hard to find underneath all the wrong things that are still there. And best of all, inexperienced programmers have absolutely no clue that all these things are wrong things, and go happily using them to create application upon application that has all the security of swiss cheese.

Ironically, considering the target audience, it took an extremely experienced developer to actually create a safe PHP application, and even the good projects have tended to have little problems with certain combinations of those reverse compatibility flags and stuff like that.

Now, I've carefully written all this in the past tense because I'll admit I have long since written off PHP. I could name 5 languages easy I'd rather do a web app in today, and heck, I'd rather learn a new language from scratch than use PHP. But it may be the case that it has significantly improved to the point where none of this applies. However, from what I have heard from here and elsewhere, it's mostly not the case; the security issues have gotten somewhat better but it sounds like the language has become a monstrosity. (Note that while this is the inevitable fate of any developing language... some are concerned that Java recently passed this point with the Generics feature that seems to defy even Java book author's abilities to understand, let alone explain... PHP is hitting this point without actually passing through any point at which it was the best solution for any but the very smallest of problems.)

Generally speaking, the PHP programmer community is the least mature community I know. And I don't mean like not swearing and being respectful; I mean it's just like 15-year-olds are designing the language from their base of six months of experience programming. I find it ironic to find out PHP started as a collection of perl scripts; by dint of great effort and years of work, they managed to produce a product inferior to Perl in almost every way.

Attrition.org posted a nice rant about this on 1/2/2006.

http://www.osvdb.org/blog/?p=79

Likewise, good ole /. users made quite a few comments about the US-CERT line of BS at http://it.slashdot.org/article.pl?sid=05/12/31/081 2210&from=rss

US-CERT is virtually worthless. Hell, they still consider Mac OSX to be part of Unix. Whats worse is that they list the **same freakin vulnerabilites numerous times**. I'm not going to say much more... anything I would say would be a repeat of the OSVDB blog at http://www.osvdb.org/blog/?p=79 which addresses this issue.

• The actual article on SecurityFocus (not the abbreviated discussion article referenced in TFS).
  
• The full text of the auction, courtesy of the good folks at the OSVDB blog.
  
• The screenie of the actual eBay auction, again courtesy of OSVDB.

The lot: One 0-day Microsoft Excel Vulnerability

Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product).

A percentage of this sale will be contributed to various open-source projects.

1. As the seller did in fact report this vulerability to Microsoft first, would his subsequent attempt to call attention to the vulnerability by posting it for auction on eBay be considered 'irresponsible'?
   
2. Exactly which eBay rule did this auction break?

• The actual article on SecurityFocus (not the abbreviated discussion article referenced in TFS).
  
• The full text of the auction, courtesy of the good folks at the OSVDB blog.
  
• The screenie of the actual eBay auction, again courtesy of OSVDB.

The lot: One 0-day Microsoft Excel Vulnerability

Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product).

A percentage of this sale will be contributed to various open-source projects.

1. As the seller did in fact report this vulerability to Microsoft first, would his subsequent attempt to call attention to the vulnerability by posting it for auction on eBay be considered 'irresponsible'?
   
2. Exactly which eBay rule did this auction break?

funny, what are these?
http://osvdb.org/searchdb.php?action=search_title& vuln_title=qmail&Search=Search
Additionally, about two years ago I saw code floating around for qmail.
Just becuase Denial Bernstein claims there are no bugs and finds technicalities to justify his position, doesn't mean they dont exist... but then I imagine most of the people who believe that type of stuff also believe openbsd is ahead of the curve.

You guys keep saying OSX is secure, but I don't think you know what that word means.
Go check out securityfocus's vulnerability DB, or better yet, go here.

Most of these are ludicrous! Look at how many remote vulnerabilities there are! Some are absurd! Didn't apple do ANY checking?

I did not imply that Linux was bullet proof. I'm just astonished that you can get privilege escalation through just a userland application run by an unprivileged user!

For security, Apple hasn't been so good. Use places like osvdb:
Apple
Debian
Openbsd

For security, Apple hasn't been so good. Use places like osvdb:
Apple
Debian
Openbsd

For security, Apple hasn't been so good. Use places like osvdb:
Apple
Debian
Openbsd

I'd feel safe too.

Try this:

http://www.osvdb.org/reference/SlippingInTheWindow _v1.0.doc/

Load the above into OpenOffice.

Now save as a HTML Document.

Note how the backgrounds on some of the tables doesn't line up with the foretext.

It doesn't matter what browser you use to view it.

We can all sleep better now.

Why is everyone giving Looking Glass such horrible reviews? Did all of you have a suck weekend?

I switch windows 2-3 times/minute when I'm holding conferences, compiling multiple items, writing new scripts, working on reports, listening to tunes, ripping CDs, and browsing the web. I have two Mozilla windows with 4+ tabs in each when I'm mangling entries for OSVDB. No, it wouldn't be more productive to have all 8+ tabs in one Moz window because there's a grouping scheme for ordering the information that I need at any given time. I also spent $200 on this fancy-dancy video card... for what? Xterm sure doesn't need 128mb of vid ram and 3D routines to run gcc. Why would I want to resurrect a window (click, select, click) just to type "dir" and then send it back (click) when a simple mouseover could bring the window to the front and then loss of focus could send the window back to an icon sized scaled down version? How about watching network monitors? Maybe I like watching "tcpdump" but have it tailored to only catch stray unwanted packets. I need the window around at all times but not full-sized. All I want is a scaled down xterm so that, when the lines shift, I can bring it up, have a look at it, decide if it's bad, and then send it back. How about "watch -n 2 netstat"? I like to know when someone's knocking on my ftp server but I don't need that window taking up maximum real estate at all times. Sure there are gkrellm plugins for these easy examples but there are dozens of custom considerations that can be accomplished with grep in an xterm. How about tailing daemon.log? That's another window which doesn't need to be full size all the time but you'll want to know instantly when it changes.

Looking glass and Expocity are just what I need to help me organize my screen to quickly flip back and forth between different windows or to keep the xterms running so that I can see when the scroll stops and compiling is done.

Guess you're all low-end, non-multitasking users. As long as my CPU can keep up with the demands of the WM I find a 3D WM to be just what the doctor ordered.

The Sasser worm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems.

Naturally this event *doesn`t* raise doubts about running unpatched systems that arent even protected by packet filters (which, for al their faults would have prevented this) and connected to way to many other computers (Not limited to but, usually meaning the Internet) and listening on to many ports/interfaces with to much code at to high privileges anywhere (let alone in critical systems).

Naturally...

No sir, this is just a microsoft problem. This isn`t another case of RPC gone a little to easily accesable. This has nothing to do with RCP api`s being undocumented (security through obscurity). This isn`t another example of just running the whole piece of networking code with as much privileges as we can come up with and keeping dumping functionality in. It is just naturally microsofts fault. No I am not saying it isn`t microsofts fault, it is, naturally. They could have learned that coding rpc services in a buffer overflow prone way without tripple checking buffers isn`t all that smart. And they could have learned this years ago. But they didn`t, they went the "natural"/go with the flow way about this. Lazy. I mean everybody does RPC services in C with every privilege out there without caring for bugs enough. And they never released documentation for these network related api`s so, lets just keep doing it like that, its the natural order of things.

The software industry needs some natural selection on this..... this goes for all operating systems, naturally.

Furthermore, RFC-793 allows a TCP implementation to verify both sequence and acknowledgement numbers prior to accepting a RST control flag as valid. No TCP stack implemention tested currently implements checking of both sequence and acknowledgement. All tested TCP stacks currently verify only the sequence number. This allows connections to be reset with dramatically less effort than previously believed.

Move along, little to see here.

John.

http://www.osvdb.org/displayvuln.php?osvdb_id=4030

TCP Reset Spoofing

OSVDB ID: 4030
Rating: TBD
Disclosure Date: Apr 20, 2004

Description:

The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial of service. The issue is triggered when spoofed TCP Reset packets are received by the targeted TCP stack, and will result in loss of availability for the the attacked TCP services. ...

;)

Vulnerabilities that exist in OSVDB have a status and each vulnerability requires some work before we hand out the information. The vulnerabilities on the front page are the last ten vulnerabilities that have been deemed complete, and ready for general consumption.

Check out the FAQ for more information.

Calling something "open source" doesn't make it open or free (as in freedom). There are three issues of concern here.

First, the licensing terms Why didn't they license the OSVDB database under a free license, whether it be GPL, GFDL, or even the BSD license? If OSVDB and its sponsors (including primarily Digital Defense, Inc., a privately held computer security firm) retain complete ownership of the content, and nobody has the right to fork the database or create derivative works, I can't see why it's being spun as "open source".

Second, I was concerned when I read the OSVDB's statement of intent to comply with the DMCA. A non-free (read: non-forkable) database based in the United States might not be the best idea. One DMCA injunction could shut it down. Since, from my reading of the terms and conditions, nobody has the right to duplicate or fork this database, the work could not continue outside the US if a DMCA injunction shut it down.

Third, the issue of neutrality and bias. I don't believe that a non-free database sponsored by a private security consulting firm based in the United States will be able to remain neutral for long. Private companies are under no obligations to disclose their partnerships or agreements with vendors.

You know, there are non-trivial, free (GFDL) databases out there...the precedent exists for high quality, truly FREE content. I hope OSVDB considers licensing the content under the GFDL or BSD license.

...per the database info page.

<shameless>
Hey OSVBD folks, here's a little utility to do do some PostgreSQL query analysis!
</shameless>