After reading AKAImBatman's comment, I realized it's not a DOM/scripting vulnerability, but just the ability to hide a link behind flash or an animated GIF content.
Kudos to AKAImBatman for understanding what this was about - and Kudos to the hackers for both discovering such an ingenious exploit and for working with the companies to fix it.
How about this: Your name is Heather and you're trapped in Silent Hill. After beating the crap out of a monster, you realize that all the spooky playground was some CSS delusion and you ended up screwing innocent ppls' lives.
That would've been a pretty cool ending for SH3, btw, but I hope it helps explaining what this exploit really is about. So, in other words, if you see a flash ad saying "click to win a prize", now you can know what the prize is;-)
Thereâ(TM)s been a bit of drama over the last week or so around the upcoming world OWASP conference in New York. Itâ(TM)s surrounding a talk that Jeremiah and I were planning on doing the first day of the conference. Jeremiah and I have been working on some interesting browser security issues which also effect a lot of downstream people/websites/technologies as well. Sounds like a good talk right? We thought so too!
Alas, it turns out that some of the issues we found werenâ(TM)t just a little bad - they were a lot bad. So bad, in fact, that we felt compelled to do some responsible disclosure. One issue lead into another issue into another and poof - we have at least two and probably more incoming vendor patches at a yet to-be-determined date. And weâ(TM)ve only worked with a few vendors. So⦠yah. Itâ(TM)s pretty bad.
As you may have guessed the first is a browser company, Microsoft (to be expected since itâ(TM)s a browser issue to begin with). The second is Adobe - who have been working closely with us on this one since we first told them about the problem. We have been working on proof of concept code since before Blackhat and finally got our ducks in a row with real working exploit code a few weeks ago. And that is pretty much when the problems started. None of the issues we found relating to the browser were particularly easy to fix, it turns out.
The related issues we found that affect websites (instead of browsers) is thankfully slightly easier to deal with on a one off basis, but that too is going to be a problem. There are a lot of much easier hacks out there against websites for sure, but what weâ(TM)ve been working on breaks some previously good security measures. The correct solve will not be patching every web-site on earth. Instead it will likely end up being a browser patch against every major browser. The idea of every webmaster in the world patching their own sites is a non-starter. Although Iâ(TM)m sure lots of people are going to run out and patch their sites rather than wait for the normal browser patch and release cycle for all browsers everywhere. Weâ(TM)ve discussed the high level concern with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solve in sight at the moment.
So, after much deliberation we opted to pull our speech voluntarily, due to the extremely neutered information weâ(TM)d have to be sharing. Weâ(TM)d much rather share the full breadth of what we found when it can be discussed more openly as to not diminish the danger of the flaw by only talking about small parts of the issue. There will still be holes in many websites due to this problem even after the short term patches are available, but weâ(TM)d rather a few of the more critical problems get patched before we go public.
However, I must stress, this is not an evil âoethe man is trying to keep us hackers downâ situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on. We proactively decided it was better to pull the speech ourselves for the time being and for anyone who was looking forward to the speech all I can say is I hope to make it up to you once the vendors are in a better spot. It wasnâ(TM)t an easy decision but it really feels like the best option we have given the current situation. If youâ(TM)re desperate for a way to patch your browser from the issue disable scripting and plugins for the time being. More to come.
This entry was posted on Monday, September 15th, 2008 at 5:36 pm and is filed under Webappsec. You can leave a response as well.
And from the Adobe report:
Thanks to Jeremiah Grossman and Robert "RSnake" Hansen
Robert âoeRSnakeâ Hansen and Jeremiah Grossman recently shared with us some information they were planning to include in an upcoming presentation at the OWASP NYC AppSec confer
But how can you boycott their albums and movies? Yeah, right. I can picture you standing besides the line for the premiere of IronMan 2 holding a cardboard saying "The MPAA is screwing america" or something. Let's see what the people in the line tell you.
Since when does anyone *buy* Adobe Creative Suite?
I'm joking, of course. Sort of.
No, no, NO! You must say "According to a friend of a friend". Legally that will get you out of any legal trouble... well, according to a friend of a friend.
Over two days of following the nested ifs, the gotos (no STL, no exception handling, the gotos made perfect sense), the logic, then BAM!
"Wow, that's fast!"
And your understanding could've been faster if the author had bothered to include a comment block before the series of ifs/gotos.
Example: /** The following series of if's/gotos are a hardwired implementation of
* a finite state machine, as documented in the book "Efficient State Machine
* examples for data processing (ISBN blablablabla, p.15).
* The machine is as follows:
*
* A -> (condition 1) -> B
* A -> (condition 2) -> C
*...
*
* The if at point 1 is node A
* The if at point 2 is node B... etc
*/
// Point A of the FSM
if(...) {
goto B;
}
True, comments aren't an excuse for bad code, and WTF/min aren't necessarily accurate. But difficult to understand code without proper in-code documentation is a potential disaster. In fact, I'd call your example a mega-WTF for its lack of comments.
Mod parent informative!
on
Clean Code
·
· Score: 1
The mentioned diagram is the original source of the whole joke.
Not that I've had Windows as my main install for ages (it's now relegated to a virtual machine) but I read "Movie Maker" in the list and went "Huzzah! They've finally decided to ditch that crappy app they install in XP that I've never wanted to use and that I'd find a better alternative of if I did want to make movies". I've never understood why it was one of the core apps.
A failed monopoly experiment? After all, it did work with Windows Media Player...
Nothing like not being able to download a web browser because you don't have a web browser!
This reminds me of the times when we connected to the Internet via Trumpet Winsock and had to download Netscape via FTP... <yoda>Arcane times they were, yes...</yoda>
What I really care about open source is that you are practically guaranteed that the bugs will be fixed. You just have to report them (except in rare cases where the actual project is obsolete or it simply sucks).
With "freeware" or proprietary software, you are doomed to accept what the vendor tells you. Oh look, there's a bug! Want to report it? Good luck with that! Specially if it's a product already discontinued by the vendor (i.e. Microsoft Visual Foxpro), where they'll only care about security bugs.
Another good example of an abandoned project was Proxomitron. Remember that one? It was freeware. But guess what, the author had a car accident and died. He never released the source so his project just died.
And what to say, dammit, what to say about the f***ing piece of crap called Internet Explorer!?!?!?!? Is it free as in beer? Yes! Can it be fixed and improved by the community? HELL NO!
I may not contribute back to the sofware pool (yet) and I haven't donated money to projects, but does that make me a greedy bastard? No (the reason why I can't donate money to Open Source is because I don't have a credit card, and no, I don't live in the US so everyoen who blames it on me can simply STFU). I just happen to be in the group of people who care about having software that won't disappear when the author dies or when it's discontinued, leaving me with LOTS AND LOTS OF HEADACHES every time the company I work at requires me to use an OBSOLETE AND DEFECTIVE PIECE OF SH**!
Clearly popups don't work in an effective way, yet programmers continue to use them for the wrong purposes.... What would make more sense is for programmers to design their pop up use better so that it is more meaningful for the user.
You have 1024 infections on your computer! Press REPAIR to fix these problems.
A friend of mine came for help because he couldn't open his drive C: I told him he probably had a virus. He said that he even used an antivirus program. Which one? Here's his answer:
You're correct that this is just regular old competition, and better competition between ANY projects, open or closed, will almost always result in better software all around.
This leads us to an important question: Is there competition in the Open Source world?
Where was this, and what happened? Who was the "stabber"?
He was a madman! He said his name was Jack before he began attacking me with his knife - I barely escaped. Fortunately, a very nice gentleman who lives at 221-B Baker St. saved me just in time. He went after the attacker, not before telling his assistant, Watson, to take me to the hospital.
Slashdot Mirror
"You can own this Transmeta chair. Linus might have sat in it."
I'LL BUY IT!!!!
- Steve Ballmer.
After reading AKAImBatman's comment, I realized it's not a DOM/scripting vulnerability, but just the ability to hide a link behind flash or an animated GIF content.
Kudos to AKAImBatman for understanding what this was about - and Kudos to the hackers for both discovering such an ingenious exploit and for working with the companies to fix it.
How about this: Your name is Heather and you're trapped in Silent Hill. After beating the crap out of a monster, you realize that all the spooky playground was some CSS delusion and you ended up screwing innocent ppls' lives.
That would've been a pretty cool ending for SH3, btw, but I hope it helps explaining what this exploit really is about. So, in other words, ;-)
if you see a flash ad saying "click to win a prize", now you can know what the prize is
From google cache:
Clickjacking
Thereâ(TM)s been a bit of drama over the last week or so around the upcoming world OWASP conference in New York. Itâ(TM)s surrounding a talk that Jeremiah and I were planning on doing the first day of the conference. Jeremiah and I have been working on some interesting browser security issues which also effect a lot of downstream people/websites/technologies as well. Sounds like a good talk right? We thought so too!
Alas, it turns out that some of the issues we found werenâ(TM)t just a little bad - they were a lot bad. So bad, in fact, that we felt compelled to do some responsible disclosure. One issue lead into another issue into another and poof - we have at least two and probably more incoming vendor patches at a yet to-be-determined date. And weâ(TM)ve only worked with a few vendors. So⦠yah. Itâ(TM)s pretty bad.
As you may have guessed the first is a browser company, Microsoft (to be expected since itâ(TM)s a browser issue to begin with). The second is Adobe - who have been working closely with us on this one since we first told them about the problem. We have been working on proof of concept code since before Blackhat and finally got our ducks in a row with real working exploit code a few weeks ago. And that is pretty much when the problems started. None of the issues we found relating to the browser were particularly easy to fix, it turns out.
The related issues we found that affect websites (instead of browsers) is thankfully slightly easier to deal with on a one off basis, but that too is going to be a problem. There are a lot of much easier hacks out there against websites for sure, but what weâ(TM)ve been working on breaks some previously good security measures. The correct solve will not be patching every web-site on earth. Instead it will likely end up being a browser patch against every major browser. The idea of every webmaster in the world patching their own sites is a non-starter. Although Iâ(TM)m sure lots of people are going to run out and patch their sites rather than wait for the normal browser patch and release cycle for all browsers everywhere. Weâ(TM)ve discussed the high level concern with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solve in sight at the moment.
So, after much deliberation we opted to pull our speech voluntarily, due to the extremely neutered information weâ(TM)d have to be sharing. Weâ(TM)d much rather share the full breadth of what we found when it can be discussed more openly as to not diminish the danger of the flaw by only talking about small parts of the issue. There will still be holes in many websites due to this problem even after the short term patches are available, but weâ(TM)d rather a few of the more critical problems get patched before we go public.
However, I must stress, this is not an evil âoethe man is trying to keep us hackers downâ situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on. We proactively decided it was better to pull the speech ourselves for the time being and for anyone who was looking forward to the speech all I can say is I hope to make it up to you once the vendors are in a better spot. It wasnâ(TM)t an easy decision but it really feels like the best option we have given the current situation. If youâ(TM)re desperate for a way to patch your browser from the issue disable scripting and plugins for the time being. More to come.
This entry was posted on Monday, September 15th, 2008 at 5:36 pm and is filed under Webappsec. You can leave a response as well.
And from the Adobe report:
Thanks to Jeremiah Grossman and Robert "RSnake" Hansen
Robert âoeRSnakeâ Hansen and Jeremiah Grossman recently shared with us some information they were planning to include in an upcoming presentation at the OWASP NYC AppSec confer
God bless Flashbock!
But how can you boycott their albums and movies? Yeah, right. I can picture you standing besides the line for the premiere of IronMan 2 holding a cardboard saying "The MPAA is screwing america" or something. Let's see what the people in the line tell you.
Bread and circuses.
You have forgotten the punitive damages for violating the rights of the copyright holders.
Fine, make it $240 :)
You just gave me a great idea for an iPhone app. Look for it soon on the App store!
Actually that's how things will work. Google will innovate with its cool apps, which Apple will HAVE TO copy to retain its market share.
"Mammon awoke, and lo! it was naught but a follower."
- from The Book of Mozilla, 11:9
Since when does anyone *buy* Adobe Creative Suite?
I'm joking, of course. Sort of.
No, no, NO! You must say "According to a friend of a friend". Legally that will get you out of any legal trouble... well, according to a friend of a friend.
a perfect example of unclean code? http://thepiratebay.org/torrent/3497574/Windows_2000_source_code
Sheets of unclean code as toilet paper. A match made in heaven.
Over two days of following the nested ifs, the gotos (no STL, no exception handling, the gotos made perfect sense), the logic, then BAM!
"Wow, that's fast!"
And your understanding could've been faster if the author had bothered to include a comment block before the series of ifs/gotos.
Example:
/** The following series of if's/gotos are a hardwired implementation of ...
* a finite state machine, as documented in the book "Efficient State Machine
* examples for data processing (ISBN blablablabla, p.15).
* The machine is as follows:
*
* A -> (condition 1) -> B
* A -> (condition 2) -> C
*
*
* The if at point 1 is node A
* The if at point 2 is node B... etc
*/
if(...) {
goto B;
}
True, comments aren't an excuse for bad code, and WTF/min aren't necessarily accurate. But difficult to understand code without proper in-code documentation is a potential disaster. In fact, I'd call your example a mega-WTF for its lack of comments.
The mentioned diagram is the original source of the whole joke.
Good meta-meta... I... joke.
Good recursive [ERROR: STACK OVERFLOW]
Not that I've had Windows as my main install for ages (it's now relegated to a virtual machine) but I read "Movie Maker" in the list and went "Huzzah! They've finally decided to ditch that crappy app they install in XP that I've never wanted to use and that I'd find a better alternative of if I did want to make movies". I've never understood why it was one of the core apps.
A failed monopoly experiment? After all, it did work with Windows Media Player...
Nothing like not being able to download a web browser because you don't have a web browser!
This reminds me of the times when we connected to the Internet via Trumpet Winsock and had to download Netscape via FTP...
<yoda>Arcane times they were, yes...</yoda>
Downloadable version instead of pre-packaged, you know.....
You can still get the same thing, you just have to take the extra step to download it...
and making sure you own a "Genuine" copy of Windows.
Sigh. There go my mod points, but I had to speak.
What I really care about open source is that you are practically guaranteed that the bugs will be fixed. You just have to report them (except in rare cases where the actual project is obsolete or it simply sucks).
With "freeware" or proprietary software, you are doomed to accept what the vendor tells you. Oh look, there's a bug! Want to report it? Good luck with that! Specially if it's a product already discontinued by the vendor (i.e. Microsoft Visual Foxpro), where they'll only care about security bugs.
Another good example of an abandoned project was Proxomitron. Remember that one? It was freeware. But guess what, the author had a car accident and died. He never released the source so his project just died.
And what to say, dammit, what to say about the f***ing piece of crap called Internet Explorer!?!?!?!? Is it free as in beer? Yes! Can it be fixed and improved by the community? HELL NO!
I may not contribute back to the sofware pool (yet) and I haven't donated money to projects, but does that make me a greedy bastard? No (the reason why I can't donate money to Open Source is because I don't have a credit card, and no, I don't live in the US so everyoen who blames it on me can simply STFU). I just happen to be in the group of people who care about having software that won't disappear when the author dies or when it's discontinued, leaving me with LOTS AND LOTS OF HEADACHES every time the company I work at requires me to use an OBSOLETE AND DEFECTIVE PIECE OF SH**!
The sad part is that it's a real-life case :(
Clearly popups don't work in an effective way, yet programmers continue to use them for the wrong purposes.... What would make more sense is for programmers to design their pop up use better so that it is more meaningful for the user.
You have 1024 infections on your computer!
Press REPAIR to fix these problems.
A friend of mine came for help because he couldn't open his drive C: I told him he probably had a virus. He said that he even used an antivirus program. Which one? Here's his answer:
One that said "Your computer is infected!"
No worries, I'll provide the summary:
1) Find infidels
2) Find nuclear weapon
3) Combine
4) Get blasted by the infidel's nuclear-powered rays!
You're correct that this is just regular old competition, and better competition between ANY projects, open or closed, will almost always result in better software all around.
This leads us to an important question: Is there competition in the Open Source world?
Then I go to http://www.distrowatch.com/ and see the answer for myself: Yes, there is.
Google says: No results found for "Improve your jihad: nuclear weapons".
GASP! They nuked the article! CENSORSHIP!
God forbid someone should try to make a living out of selling overpriced software.
There, fixed that for you.
Where was this, and what happened? Who was the "stabber"?
He was a madman! He said his name was Jack before he began attacking me with his knife - I barely escaped. Fortunately, a very nice gentleman who lives at 221-B Baker St. saved me just in time. He went after the attacker, not before telling his assistant, Watson, to take me to the hospital.
Point-in-case: Being vigilant is the answer, not running a certain piece of software (or rather, not-not running a certain piece of software).
Yes, but usually being vigilant implies not running a certain piece of software ;-)