After three spate 0-day vulnerabilities are found in your product you can pretty much expect the market to call for you go away. This is the situation that Adobe is in right now. After fighting to their little slice of dominance in the computing industry Adobe’s Flash is arguably one of the most commonly used APIs to rendering rich content. This has made them a rather large target for a number of years… well this and the fact that the Flash development team has made some rather poor choices when it comes to their application.
A day after we published an article on how deficient most developers are when it comes to properly planning for security we are hearing about a new bug that infects one of the core components of an operating system. Dubbed Bash or Shellshock this new flaw affects the shell in an OS. The shell in an OS is what allows you to interact with systems. When you run an application it will often run code through the shell to give you the desired result.
One thing I find interesting is the lack of any real memory in the technical press. It seems that the people that write about trends and events happening in the technical world often do not remember what has happened before. We saw this with the HeartBleed bug and are seeing it again with BadUSB. If you do not know what this is, well it is a new exploit found in the fundamental way USB works.
We are on the ground in Las Vegas, NV to cover Black Hat and DEF CON 2014. We will be bringing you coverage of the latest in hacks, exploits and the tools that are supposed to protect you from the “bad guys”. We also brought along some fun toys that are perfect to travel security. Granted nothing we brought it going to keep you 100% safe, but in the real world every little bit helps.
A couple of days ago we posted a story about a group of developers that complained to Valve about their lack of a Bug Bounty. In their complaint was an inference that having a form of reward would make people want to identify and report bugs and exploits in a timely manner. On the surface that would seem to make sense, but there is a flip side to this line of thinking. There will also be times when people will wait to report something to ensure they get the most money out of their efforts.
The TOR Project has been the go-to group when it comes to anonymity. This group and their TOR browser bundle are used by millions of people daily and not just to surf for illegal items or porn. In many cases the use of TOR allows dissidents in countries with oppressive governments to maintain connections to the outside world and also communicate. In areas like China TOR and their obfuscator project allow free access to the internet despite the great firewall of China.
There is nothing like finding out that the application you bought to keep you safe on the internet can actually be used to insert malicious code. Well this is what AVG Secure Search toolbar users are finding out this morning as news of a vulnerability has hit the web. According to the report from CERT version 18.1.6 and older of AVG Secure Search and AVG SafeGuard install an Active X control that is just bad news.
In the browser wars there is always going to be the argument over which browser is “better”. You will hear people talk about how fast, secure, cool, feature rich their favorite browser is, but in the end all of them really fall short of where they should be. Oddly enough it is Microsoft’s Internet Explorer that gets the brunt of the jokes and jabs (in many cases rightly so). However at this year’s Pwn2Own it was Mozilla’s FireFox that got tossed around like a rag doll.
There is no such thing as a secure operating system; it is as simple as that. Despite years and years of hearing about how this OS or that OS is secure it is simply not true. We have watched as each new contender has fallen to either security researchers or to the “bad guys” out there in the shadowy places on the internet. Today we hear about an issue with Microsoft’s vaunted EMET toolkit.
Yesterday we wrote about a disturbing flaw in some D-Link routers that allow for a malicious individual to access it without a username or password. Shortly after we published the article we were reminded that this flaw does not just exist in D-Link hardware, but is also present in devices from many other companies that have SOHO and Residential products. The string for each might be different and in some cases harder to gain access to, but it is there.