Today's Fail Open Goat Award goes to - Microsoft

Sometimes . . . we fail (shocking - I know, but bare with me please). :)

So a seceurity researcher who goes by the name Liu Die Yu seems to have unraveled the mystery of the recent Apple Safari carpet bomb fail that we released an advisory on and how it can be used to achieve the goal of running arbitrary code when combined with another "undisclosed" vulnerability - one that was apparently reported in 2006 by Aviv.

You can read all the gory details here: http://www.pcworld.com/businesscenter/article/146946/safari_carpet_bomb_attack_code_released.html

Sucks . . . securing the planet is like . . . hard and stuff.

Published 10 June 08 05:52 by Robert_Hensing

Comments

# Alun Jones said on June 11, 2008 6:00 PM:

Can you please use the "hacked web site creates shortcut that looks like a bona-fide file" portion of this as reason to make Explorer's default be to show all extensions on all files, please?

I know there's a more significant and automatic hole here, in the Dll behaviour that Liu Die Yu points out, but I figure you guys are already taking care of that - the behaviour of hiding extensions is also confusing to the user, with the consequence that they run executables, believing them to be text files, etc.

Anonymous comments are disabled

Search

This Blog

Tags

No tags have been created or used yet.

Syndication

Page view tracker