Why even BOTHER reporting bugs to vendors?
Here it is – the argument for why the VulnDisco path is better than the CERT path or, that is to say, why it’s better to sell people tools that can be used to verify the fix (vendor or DIY) vs. only telling the vendor then relying on the vendor’s quality, honesty and other things vendors typically don’t seem to have.
I say that folks like Adobe should have even MORE interest in things like Immunity Early Access PLUS. I mean really, why should I have to play middle-man between the researcher who wrote the plug-in and the vendor with the bug? Because Adobe and others think they’re above paying a third party for insight into their own product’s quality.
This vulnerability is originates from CVE-2006-3459 was reported by Tavis Ormandy, Google Security Team. Adobe just fixed AcroForm.api file ,but ImageConversion.api still have a vulnerability too.
via Security-Sucks » CVE-2010-0188, APSB10-07 PDF Exploit demonstration.
Posted: February 24th, 2010
at 9:16pm by tan
Tagged with AcroForm.api, Adobe, Canvas, CERT, CVE-2006-3459, Google Security Team, ImageConversion.api, Tavis Ormandy, vulndisco
Categories: Breaking News
Comments: No comments
Adobe – the Toyota of Your Desktop
|
Still ROFL over a post I read by Hobbit, I can’t help but paraphrase him when I see yet another Adobe hole, in MULTIPLE products, leading to all sorts of nastiness. Thinking about uninstalling your Adobe products? Don’t hit the breaks! Security-Assessment.com discovered that multiple Adobe products with different Data Services versions are vulnerable to XML External Entity (XXE) and XML injection attacks. XML external Entities injection allows a wide range of XML based attacks, including local file disclosure, TCP scans and Denial of Service condition, which can be achieved by recursive entity injection, attribute blow up and other types of injection. via Full Disclosure: Multiple Adobe Products – XML External Entity And XML Injection Vulnerabilities. |
Posted: February 24th, 2010
at 6:49am by tan
Tagged with Adobe, bug, Flex, XML, XXE
Categories: Breaking News
Comments: No comments
HNNCast011510
Also on YouTube (for 3GP mobile or 720p true HD users):
PART 1: Lead Stories & News
PART 2: Quickies
HNNCast for the second week of January, 2010
Lead Stories
- Google, Baidu, Rogue Android Warez, Kasumi Sandwich, Mobile Trends
News
- Doh-Link, Tink0de Injects Army, Bouldering the Details, Paki Cyber Cops of the Keystone Type, Philipine Defacements Highlight eVoting Scrutiny, Solo
Quickies
- Hacker News T-Shirts, Lethic Bites the Dust, JiLsi Plea, CyberSitter Another Chinese Target, First Century Mules, Way Big DSS Bill, Suffolk Bank Breach, South Korea Warfare Command Center, 3rd Hurricane Labs CTF, Detroit Defacement, Cons Call, Help Wanted
Stack of Shame
- Count: 132
- Bottom Dweller:: ZDI-CAN-177 Hewlett-Packard (High Risk) 1030 days
- Happy Birthday:
(1 yr.) ZDI-CAN-421 v. RealNetworks (Medium Risk) 2009-01-15
(1 yr.) ZDI-CAN-415 v. Microsoft (High Risk) 2009-01-15
Posted: January 16th, 2010
at 1:21pm by tan
Tagged with "South Korea", 09Droid, 0day, 26C3, 3rd Hurricane Labs, A5/1, A5/3, Adi Shamir, Adobe, Android, Android Marketplace, Baidu, Blackberry, botnet, Boulder Police Department, Boulder Rabbinic Council, breach, Brian Krebs, CAPTCHA, China, China Eagle and the Green Army Corps, cipher, City Bank of Texas, City of Detroit, Commission on Elections, Commission on Information and Communications Technology, CTF, cyber warfare command center, CYBERsitter, D-Link, DarkMarket, defacement, Defcon, DI-524, DIR628, DIR655, Dish Network TV, DLL injection, Dow Chemical, encryption, FBI, FireTalks, First Sentry Bank, FrontPage, Gary McKinnon, Google, Green Damn Youth Escort, gsm, Hack In The Box, HITB, HNN, Home Network Administration Protocol, Hydraq, Internet Explorer, iPhone, Iranian Cyber Army, JiLsi, Juniper, Kasumi, LDAP injection, Lethic, maleware, maleware obfuscation, Mega-D, Ministry of Defense and Foreign Affairs, Money Mule, National Bureau of Investigation, No Drama Badge, Northrup Gruman, Nullcon, PAKbugs, Pakistani National Response Center for Cyber Crimes, Palm OS, PDF, Philippines, POC, porn dialer, Pre, President Arroyo, RackSpace, Renukanth Subramaniam, Rick Rolling, Robert Ward, Royal Bank of Canada, RSA, Saddam Husain, sandwich attack, Schmoocon, Security B-Sides, SMS, Solo, SourceSec Security, South by SouthWest, sql injection, suffolk county national bank, Symantec, synagogues, targetted attacks, the Hacker Union of China, The-DSS-Guy, TinK0de, Trojan, Twitter, US Army, uStream, Yahoo
Comments: 1 comment
