Robert Hensing's Blog

Software Security . . . and stuff.

Today's Fail Open Goat Award goes to - Microsoft

Today's Fail Open Goat Award goes to - Microsoft

  • Comments 1
  • Likes

Sometimes . . . we fail (shocking - I know, but bare with me please). :)

So a seceurity researcher who goes by the name Liu Die Yu seems to have unraveled the mystery of the recent Apple Safari carpet bomb fail that we released an advisory on and how it can be used to achieve the goal of running arbitrary code when combined with another "undisclosed" vulnerability - one that was apparently reported in 2006 by Aviv.

You can read all the gory details here: http://www.pcworld.com/businesscenter/article/146946/safari_carpet_bomb_attack_code_released.html

Sucks . . . securing the planet is like . . . hard and stuff.

Comments
  • Can you please use the "hacked web site creates shortcut that looks like a bona-fide file" portion of this as reason to make Explorer's default be to show all extensions on all files, please?

    I know there's a more significant and automatic hole here, in the Dll behaviour that Liu Die Yu points out, but I figure you guys are already taking care of that - the behaviour of hiding extensions is also confusing to the user, with the consequence that they run executables, believing them to be text files, etc.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment