Slashdot Mirror

Here, I found an article explaining the issue.

This is really a vulnerability in any meaningful sense of the word. Rather, this means that certain advanced protections that Windows uses are less effective in a Virtual PC ..

'The flaw, discovered by Core exploit writer Nicolas Economou, exists in the memory management of the Virtual Machine Monitor. It causes memory pages mapped above the 2GB level to be accessed with read or read/write privileges by user-space programs running in a Guest operating system'

Microsoft weasle words, copyright©

e (damn /. and its short subject field).

Our state CISO was fired when he got back from the conference because he spoke about a hacking incident to the state's DOT site which allows one to schedule driver's exams. Apparently, it was initially presumed the attack came from Russia but was later found to have come from Philadelphia where a driving school had exploited a vulnerability in the web site to schedule more driving tests than there were allotted slots.

By exploiting this vulnerability, the driving school was able to close all available slots EXCEPT for the school so everyone else had to wait up to 6 weeks to schedule a test.

He was a scheduled presenter with over 24 years in IT in both the public and private sector. He was recognized, according to the RSA schedule, as "one of the most high-profile experts in the field of securing the data of American citizens today."

As you read the comments after the article, it's clear that some folks with knowledge of the subject insist he went out of bounds on the subject while others consider what he did to be a normal part of the IT security process.

I'm only posting this as it does relate to the overall RSA conference. Note that the web site indicated will probably prevent reading the article after a certain time has passed so read it now. In addition, here are two other sites which talk about the firing:

Site one

Site two

Further, here is an article which talks to the firee after he became the state's first CISO and what he had to contend with.

Well, he makes some good points. Code review is indeed difficult, requires good skills, and is not done by many people in the free software community (the OpenBSD development team being a notable exception). Good software engineering methodology is crucial, certainly.

He concludes that Microsoft ends up shipping fewer vulnerabilities than anyone else. Is this true? Well, with the obvious exception of OpenBSD, it might be; but that's not the whole story. What developers do when a vulnerability is found is pretty important, too. Probably even more important.

Not long ago, a serious vulnerability was discovered in several versions of IE. Turns out Microsoft had known about it for several months. So, naturally, they had a patch all ready and tested before it became a problem - right? Well, no. Instead, they urged users to upgrade to IE8. The bug didn't get patched until almost a week after exploits were seen.

For all their professionalism and expertise, Microsoft developers labor under a severe handicap: they have to work on what Microsoft managers tell them to work on. They may think that a given bug is urgent and should be patched right away; but at the end of the day, the priorities are set by people who are focused on the bottom line, and those people know that nothing much is going to happen to Microsoft if a vulnerability is left open for a week or two. Every year, people in the Linux community confidently assert that this is the year of the Linux desktop; and every year, they're proven wrong. Too many people are locked into Microsoft's proprietary formats, and have too much time invested in learning to use Windows, to switch easily. And that's not going to change anytime soon.

Despite all the people who like to quote Charlie Miller and your own "Let me tell you how...", it is not trivial to crack a Mac...period!

From Threatpost post about 12 serious OSX Flaws that were patched today

Flash Player plug-in (7 vulnerabilities) -- Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42

That's just one that could be exploited without user intervention through Safari, and you wouldn't even need to go somewhere malicious since most black hats target third party Flash Ad providers on a legitimate site (Google "Gawker Ad Malware"). I'm sure you'll tell me how Apple patched them (IE: Steve Bailed me out) but what about when I originally posted the exploit example two days before the patch?

The problem is that the average Windows user has a false sense of security because they think that if they run anti-virus they'll be safe whereas the average Mac user doesn't run anti-virus but they also know better than to click on any link sent to them or download and install any piece of software that comes their way.

The difference is that as long as the Windows system has an AV system that is functional and can get updates, it's going to tell the user somethings wrong at some point. The Mac user without the Virus scanner happily runs his infected box until either his ISP steps in and blocks his account.(Because he's spamming or DOSsing) or Apple sends a patch killing it. As for the point of not downloading or clicking on anything suspicious, Google "Gawker Ad Malware" Again.

What's Windows' track record been over the past ten years...yeah, I thought so!

Not once did I mention Windows Security. My point, and it's been my point all along now, is that it can happen to anyone, anywhere using any OS and any software on that OS. Windows and IE (and especially the older versions) are horrendous security wise, but going down the "Change your OS" or "Change your Browser" bandwagon is only a short term solution at best because eventually the Virus Inc's will start punching holes in whatever the next popular thing is. It's all about proactive protection (Anti Virus) and system hardening (User rights management and sandboxing) to protect your computer from yourself. Doing it right will make any system, Including Microsoft, rock solid. Ignoring it, or denying that it exists or is necessary, will get you hacked in the end.

BTW, Thanks for Proving my other point.

What's "chome"? "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users..."

http://threatpost.com/en_us/blogs/microsoft-finds-security-flaw-google-chrome-frame-111909
original post

But you drag up a situation that was resolved nearly a decade ago.

Linux Kernel 2.6 Local Root Exploit - February 10 2008
New Linux Flaw Enables Null Pointer Exploits - July 17, 2009

Better?

My point was that the ISC was created in response to a virus that had an impact on Linux. More to the point, that "Linux" ( much like "Mac" ) does not mean "invulnerable". Any competent system admin will tell you that.

fixes were quickly available and easy to apply

This has less to do with existence of exploits and more to do with competency doesn't it? Tell you what, if you can tell my mother-in-law how to apply this decade old fix to a Linux system correctly, without excusing yourself for a moment to go outside and bang your head against the wall, I'll concede.

In computers, things that you aren't allowed to do you shouldn't be able to do. [..] I call this a new design principle: Don't Randomly Give Away Your Passwords To Strangers That Are Good At Keeping Secrets.

It actually has a name, called self-enforcing protocols. An example is "cut-and-choose": you have a piece of cake to divide evenly between two people, but how can it be done fairly without bringing in a third party? One person cuts, the other person chooses a piece. They aren't allowed to cheat, but more importantly they also can't cheat.