Hey, it's Will. I noticed that several blogs, including Trend Micro and McAfee, have been talking about the recent attacks on the Internet Explorer 7 vulnerability that was fixed in MS09-002. An interesting thing about these exploits is the attack vector. The technique used in these attacks has several security impacts that may not be immediately obvious.
It's Will again, with the first blog entry of 2009. Our Securing Your Web Browser document describes how to make your web browser more secure, but applying all of the necessary changes can be a bit tedious. To make the process easier, we developed reference implementations of the guidelines for both Microsoft Internet Explorer and Mozilla Firefox.
Hi, this is Chad Dougherty of the Vulnerability Analysis team. One of the important roles that our team plays is coordinating vulnerability information among a broad range of vendors. Over the years, we have gained a considerable amount of experience communicating with vendors of all shapes and sizes. Based on this experience, we can offer some guidance to vendors about communicating product security issues.
Hey, it's Ryan. This blog entry contains some quick recommendations about filtering certain ICMPv6 types using two host-based firewalls--Linux ip6tables and Microsoft Vista's advfirewall. If you have suggestions or other ideas, let me know.
Hi, it's Will. Recently, a blog author reported that the CERT® Secure Coding Standards website, which runs on Atlassian Confluence, contained a SQL injection vulnerability. After analyzing the report and discussing it with the Confluence vendor, we have concluded that the behavior described is not a vulnerability.
Hello, its Ryan. We've noticed a misconception about IPv6 that is popular on the internet: that IPv6 addresses are hard to ping sweep because there are so many possible addresses. Ping sweeping can lead to port scanning, so this misconception is viewed as a security feature. In this post, I'll prove that, while it won't work across the internet, ping sweeping on the local network is easier in IPv6 than in IPv4.
Hey, it's Will. Earlier this year, details about "carpet bombing" attacks were released. Apple addressed the issue by prompting users before downloading files, but recent news indicates that Google Chrome, which is based on Apple's WebKit code, is also vulnerable to the same type of attack. However, some people seem to be missing an aspect of the attack that affects all web browsers.
Hi, it's Ryan. Package managers partially automate the process of installing and removing software packages. Most package managers use cryptographic signatures to verify the integrity of packages. In the article Attacks on Package Managers, the authors describe how an attacker can abuse package managers that use digital signatures.