Archive for August, 2007

Imagine you're a web advertiser.
Imagine you can open a popup window from a web page defeating any popup blocker.
Imagine this popup can invade the whole desktop, full screen.
Imagine this popup has no title bar, no menus, no toolbar, no location bar, no border and no buttons. No mean to close it.
Imagine user can't move or minimize this popup. It will go away only when the browser is killed or your show is done...

Now imagine you're a phisher.
Imagine you can use this almighty popup to draw anything you want. A fake browser or -- why not? -- a whole fake desktop to collect user's data.

Impossible wet dreams of clueless evildoers?
No, it's just 100% Pure Java™ Reality.


Ten Fucking Days Exif
Both Robert Hansen AKA RSnake and Jeremiah Grossman blogged about a certain business card.

Robert, who seemingly took the original photo on Aug the 3rd 2007 at 9:13:59 UTC with a Canon PowerShot SD400 (focal length 12.120mm, exposure time 1/8 sec), tried to appear nice and covered Mike Shaver's contact details with white rectangles.

So did Grossman when he uploaded a slightly modified version of the same picture.
But notwithstanding (?) his Brazilian Jujitsu, Jeremiah has been a nicer guy: not only he scrupulously self-censored his blog post masquerading the F... word, but also cared to clean up some EXIF metadata *.

Said metadata, in facts, included a naked thumbnail which certainly RSnake left there on purpose: to expose Mike Shaver's cell number making his life miserable with thousands of hate phone calls from savage hackers, and ultimately to prevent him from fixing Mozilla bugs and fulfilling his ten days promise.

I wonder if the evil genius behind the old Cat Schwartz's "Boobs Incident" is the same, (r)sneaky one... ;)

Ten Fucking DaysMozilla can deploy a fix for any security bug reported under responsible disclosure in "Ten Fucking Days", according to Mike Shaver.

RSnake, the recipient of this claim written black on white over a business card, sounds quite skeptic.
But I can see it happening.

I've seen many security patches which couldn't wait (i.e. cats out of the bag), being developed and reviewed in 3-4 days.
In a famous recent case, even in 2 days.
Counting the Q/A needed before deploying an automatic update, 10 days is a feasible goal.


There's been some talk, lately, about the "friendly" AJAX worm coded by Benjamin Flesch as a proof of concept both leveraging and patching 3 XSS vulnerabilities he found in WordPress 2.2.x.

Allowing a foreign program to run on your system without a chance to scrutinize its source code is not a great idea (I know, many Microsoft customers could not agree).

I'm very new to WordPress (I started playing with it 3 days ago), and I've heard many nightmarish stories about its security, so I'd really love to patch everything I can before I start my own auditing.

On the other hand, I fully subscribe to .mario's concerns -- w/o code review no usage -- and looks like Symantec agrees about this beastie being not harmless, despite its good intentions.

Hence I decided to grab the snail by its tail and forced it to spit its 3 "little secrets".
Here you'll find the patches in a concise and readable form, and you can decide if manually applying them or not.

Bad Behavior has blocked 931 access attempts in the last 7 days.