Saturday, May 31, 2008

Race to Zero

The Race to Zero contest.

So, people are going to write some new packers? OK, no problem then.

Friday, May 30, 2008

Is Microsoft dropping Apple 0-day?

Just saw this link show up in my RSS reader:
Microsoft Security Advisory (953818) Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform

From the advisory:

FAQ

What causes this threat?
A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed. Safari is available as a stand-alone install or through the Apple Software Update application.

And

Workarounds

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Change the download location of content in Safari to a location other than ‘Desktop’

Launch Safari. Under the Edit menu select Preferences.

At the option where it states Save Downloaded Files to:, select a different location on the local drive.

So... that sounds a lot like if I were to download a desktop.ini file or something like that, I'd get my Windows all 0wned. As in, if I cared to, I probably wouldn't have to work too hard to figure out how to exploit this from Microsoft's description and workaround.

Is this being exploited in the wild or something? Otherwise I kinda would have expected Microsoft to keep quiet until it was patched by Apple.

I guess Apple pushing Safari on Windows iTunes/Quicktime users isn't looking so hot about now?

Update:
Aha, pointer from Slashdot and The Register. The carpet bombing seems to be the genesis, but that's not the whole story, since he doesn't talk about executing code.

Update2:
There it is, it was found by Aviv Raff.

Saturday, May 03, 2008

Tweaking content (administrivia)

I have a tendency to write full essays, and only when I'm aroused enough to spend the time, and then only when I can afford the time at that moment. I've also avoided more personal and trivial stuff, because the blog is part of the Security Blogger's Network and because most of you read this because of security-related things.

Well, those are problems that have an easy technical solution. I've created a security-only feed. If you only want the security-related stuff (things I tag "security"), then change your subscription to this feed.

If you want all the other crap I decide to come up with, continue to use the full feed.

I titled the blog "ryanlrussell", I planned to have it be an egofest from the beginning, I just got sidetracked. So what have I been holding back on? Attempts at short fiction, things about my kids, other technology stuff, more things I want to keep a pointer to, and so on. You know that thing that thing that bloggers do that people complain about where they just point to some article and have a short comment without a lot of insight and value add? I'm going to do more of that.

There will be a tsunami of content. Relatively speaking. Prepare for boarding.

I'm going to go tweak old posts, which I'm sure will cause old articles to hit your readers again. Apologies in advance. Should be mostly a one-time thing.