I decided to start using Feedburner to publish my feed so I can try to track who is subscribing. If you are a current feed subscriber, I would appreciate it if you would switch your subscription when you get a chance. The new feed is at http://feeds.feedburner.com/AnInformationSecurityPlace. Or you can get the link from the RSS icon on the right sidebar.
Vet
For my blogging friends out there using Wordpress, take serious note of this post from Darknet. Seems like all versions of Wordpress below 2.0.3 are vulnerable (2.0.4 should be coming out very soon) to a flaw in the Subscriber functionality. If you require people to register before they can comment, then you need to make sure you turn off the “anyone can register” option and delete any subscribers you do not not know personally or who have never posted or have not posted for a long time (personally, I don’t require people to subscribe to comment – you might consider either turning off comments or not requiring membership untiol 2.0.4 comes out).
In Wordpress under the wp-admin page, go to Options and General. There is a Membership section where the choice is located. Uncheck and save, then wait for 2.0.4 and upgrade ASAP.Â
And don’t forget to backup before you upgrade. I use a plugin from here to backup.
Vet
Just got through reading this article at Security Focus. So basically, fuzzers are becoming more and more prominent in finding flaws in applications (they have been around a while, but they are now gaining notoriety with the general populace). More and more flaws are coming out on all sorts of applications, but the main focus is on Microsoft products, with the lion’s share being found on Office products.
This makes sense because Office is used so widely. People trying to make a buck are going to search for flaws on a widely used product, unless they have a specific target in mind and know what other apps they use. You could also say this makes sense because Microsoft makes such crappy products, and you would be partially correct. Fuzzers have been used to find flaws in non-MSFT apps as well (Flash, Shockwave, RealPlayer, etc.), so the threat is not just with Microsoft products.
But the point here is this: if the baddies are concentrating their fuzzing efforts on Microsoft products, where is the news that Microsoft has started actively using fuzzers to find flaws in their code? Where is the news that the giant has hired HD Moore to start an active campaign to find flaws in their products so they can start fixing the issues before they are used by baddies?
Look at this quote from the article:
Moreover, the flaws reported to date are only due to a limited amount of effort using fuzzers, TippingPoint’s Dhamankar stressed. Researchers do not typically have access to the detailed information about file formats for Microsoft’s Office, so their efforts to date have been limited.
Does this mean since the good guys can’t find the flaws that the baddies won’t either? No. The flaws will be found eventually. It means that Microsoft has the opportunity to find the flaws before anyone else because they know more about the code than any one else. Microsoft needs to step up and start finding and fixing more flaws using other tools besides their own.
Vet
An Information Security Place