Robert Hensing's Blog

Software Security . . . and stuff.

August, 2008

  • RedHat Package Signing Server - Pwnd

    EDIT : Holy crap: http://rhn.redhat.com/errata/RHSA-2008-0855.html "In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and...
  • The truth about the Dowd / Sotirov Vista memory protection bypass stuff

    Good short interview with Sotirov who clarifies what actually happened at Blackhat for some folks: http://blogs.zdnet.com/Bott/?p=513 He mentions some interesting stuff - like how they worked with us, we gave them feedback, worked with the other vendors...
  • Happy Patch Tuesday - Random thoughts

    The SnapShot Viewer 0-day that has seen limited exploitation in the wild is now patched - here's an interesting write-up with some things you may not have known about it. Here's the deal - IE Protected Mode, while not a true defendable security boundary...
  • VMWare Fail Closed Goat Award

    Here's one for the schadenfreude files - VMWare users running ESX 3.5.x Update 2 will be unable to power on their machines today / tomorrow / everafter until a fix is released by VMWare to correct a licensing bug that causes legit copies of the software...
  • OpenID Fail Open Goat Award

    Really interesting that CRL checks aren't baked into a lot of open source OpenID providers: http://www.links.org/files/openid-advisory.txt Sun has already updated their web site with this disclaimer: Security Issues OpenID is an untrusted...
  • We're going for an Olympic Silver(light)

    Sort of an interesting story on how it came to be that Microsoft Silverlight was chosen to broadcast the Olympics via the series of interconnecting tubes: http://news.cnet.com/8301-13860_3-10003752-56.html?tag=nefd.lede I'm guessing Silverlight supports...