Prev: Israel bans iPad
Next: discount cheap and fashion coach handbags,purses,wallets
From: Jim on 16 Apr 2010 02:21
"Security Update 2010-003
* ATS
CVE-ID: CVE-2010-1120
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X
v10.6.3, Mac OS X Server v10.6.3

Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution.
Description: An unchecked index issue exists in Apple Type Services'
handling of embedded fonts. Viewing or downloading a document containing
a maliciously crafted embedded font may lead to arbitrary code
execution. This issue is addressed through improved index checking.
Credit to Charlie Miller working with TippingPoint's Zero Day Initiative
for reporting this issue."


I can't help wondering if Apple should perhaps take a slightly more
pro-active stance on security. They could do what they're currently
doing (spending thousands and thousands of dollars fixing security flaws
that only Charlie Miller, it seems, can find in the first place) or
perhaps they should just slip $5,000 to Ricky 'The Cement Mixer" Willis
and give him Charlie's address...

Jim
--
"Microsoft admitted its Vista operating system was a 'less good
product' in what IT experts have described as the most ambitious
understatement since the captain of the Titanic reported some
slightly damp tablecloths." http://www.thedailymash.co.uk/
From: Ben Shimmin on 16 Apr 2010 04:05
Jim <jim(a)magrathea.plus.com>:

[...]

> I can't help wondering if Apple should perhaps take a slightly more
> pro-active stance on security. They could do what they're currently
> doing (spending thousands and thousands of dollars fixing security flaws
> that only Charlie Miller, it seems, can find in the first place) or
> perhaps they should just slip $5,000 to Ricky 'The Cement Mixer" Willis
> and give him Charlie's address...

I'd be surprised if Apple hadn't already made him a pretty big offer
to go work for them... Or perhaps that's not how Apple do things. He
seems currently to be `Principal Security Analyst' at a company called
Independent Security Evaluators:

<URL:http://securityevaluators.com/content/why-ise/profiles/cmiller.jsp>

Perhaps he likes the idea of working in Baltimore more than in Cupertino.

b.

--
<bas(a)bas.me.uk> <URL:http://bas.me.uk/>
`Zombies are defined by behavior and can be "explained" by many handy
shortcuts: the supernatural, radiation, a virus, space visitors,
secret weapons, a Harvard education and so on.' -- Roger Ebert
From: Woody on 16 Apr 2010 04:17
Jim <jim(a)magrathea.plus.com> wrote:

> I can't help wondering if Apple should perhaps take a slightly more
> pro-active stance on security. They could do what they're currently
> doing (spending thousands and thousands of dollars fixing security flaws
> that only Charlie Miller, it seems, can find in the first place) or
> perhaps they should just slip $5,000 to Ricky 'The Cement Mixer" Willis
> and give him Charlie's address...

Charlie miller the hairdressers, or Charlie Miller the scotish football
player? I mean, I don't mind, I am not trying to protect either..

--
Woody

www.alienrat.com
From: Ian McCall on 17 Apr 2010 03:57
On 2010-04-16 09:05:42 +0100, Ben Shimmin <bas(a)llamaselector.com> said:

> I'd be surprised if Apple hadn't already made him a pretty big offer
> to go work for them...

I'd be happier if he didn't, I think. Whilst there's certainly room for
it, I think putting hackers into a corporate structure won't help
either party. He will find things, they'll be able to more easily
explain away knowledge of it or say thanks but it doesn't fit Grand
Development Strategy XY so will just go on the issues list.

Friend of mine hired some people to do a penetration test of an
external-facing app. He said to limit the areas of check to
such-n-such, which of course the hackers promptly ignored. They were
successful - couple of things, one of which was a weak Apache version.
The guy running the thing said he couldn't do anything about that since
it was a corporate standard, so it wasn't a valid part of the test.

Err...

Hackers don't care what your corporate build is. They just care it's
weak. Putting an external-facing site out with a known flawed version
of Apache handling it would have been irresponsible, and the hackers
(sorry - 'penetration testing team'...) did the right thing.

Second thing they did was find an internal user, ring them up and ask
for their password. User handed it out, hackers got in and then started
running various tag injection attacks which worked. Again, guy who had
asked for the test was furious and said 'I specifically said not to
test the admin screens because there's no way a normal user can see
them'. Of course, there -was- such a way and the hackers had just shown
him how.

I think these people do better work outside of corporates. I also think
corporates do better work because these people are outside of
corporates. In this case, all vulnerabilities got fixed whereas had it
been an internal testing team I'll bet neither of the would have been.


Cheers,
Ian

From: zoara on 19 Apr 2010 12:26
Ian McCall <ian(a)eruvia.org> wrote:
> On 2010-04-16 09:05:42 +0100, Ben Shimmin <bas(a)llamaselector.com>
> said:
>
> > I'd be surprised if Apple hadn't already made him a pretty big offer
> > to go work for them...
>
> I'd be happier if he didn't, I think. Whilst there's certainly room
> for it, I think putting hackers into a corporate structure won't help
> either party. He will find things, they'll be able to more easily
> explain away knowledge of it or say thanks but it doesn't fit Grand
> Development Strategy XY so will just go on the issues list.
>
> Friend of mine hired some people to do a penetration test of an
> external-facing app. He said to limit the areas of check to
> such-n-such, which of course the hackers promptly ignored. They were
> successful - couple of things, one of which was a weak Apache version.
> The guy running the thing said he couldn't do anything about that
> since it was a corporate standard, so it wasn't a valid part of the
> test.
>
> Err...
>
> Hackers don't care what your corporate build is. They just care it's
> weak. Putting an external-facing site out with a known flawed version
> of Apache handling it would have been irresponsible, and the hackers
> (sorry - 'penetration testing team'...) did the right thing.
>
> Second thing they did was find an internal user, ring them up and ask
> for their password. User handed it out, hackers got in and then
> started running various tag injection attacks which worked. Again, guy
> who had asked for the test was furious and said 'I specifically said
> not to test the admin screens because there's no way a normal user can
> see them'. Of course, there -was- such a way and the hackers had just
> shown him how.
>
> I think these people do better work outside of corporates. I also
> think corporates do better work because these people are outside of
> corporates. In this case, all vulnerabilities got fixed whereas had it
> been an internal testing team I'll bet neither of the would have been.
>

Some really interesting points, there. Thanks.

-z-

--
email: nettid1 at fastmail dot fm
 | 
Pages: 1
Prev: Israel bans iPad
Next: discount cheap and fashion coach handbags,purses,wallets