Security Now 225

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 225

Security Now 225: Same Origin Troubles

News & Errata

13:11 - 15:38

  • Safari has been updated to fix multiple critical vulnerabilities:
    • An integer overflow error caused by improper handling of images, containing an embedded color profile.
    • Safari can be made to crash while parsing specially crafted XML content.
    • An error in Safari's handling of navigation which could cause a specially crafted HTML file to load a local file and lead to information disclosure, ** They've discovered that the way cross origin resource sharing was implemented in WebKit could result in cross-site request forgeries
    • The way WebKit handles FTP directory listings could lead to arbitrary code execution, information disclosure, or at least application termination.

15:39 - 18:10

  • Internet Explorer 6 & 7 have a 0 day remote code execution vulnerability

18:11 - 21:36

  • An update issued by Microsoft in November tweaked some access control lists and this has caused a 'black screen of death' for some users
  • It is now thought that this was not caused by a Microsoft patch but malware

21:37 - 25:42

  • A pub in the UK that was offering free Wifi was fined $13,000 as someone downloaded copyrighted material using the open wifi
  • There's pending legislation in the U.K. which they call the Digital Economy Bill, which would provide protection because the business would be classified as a public communications service provider, which would make it exempt from litigation.

25:43 - 27:10

  • The ZeuS Zbot trojan is now spreading very successfully by drive-by downloads.
  • Email spam pretending to be an IRS refund letter is downloading the trojan if recipients click on the link in the email, without any additional user interaction.

Spinrite Story

38:25 - 41:45 Mark Schoonover (Unknown)

A Spinrite customer was away from home and needed Spinrite to fix a drive. He emailed Steve to see if he could provide him with details on how to download the software. He did so and the customer was able to download Spinrite and fix the drive.

Same Origin Troubles

44:00 - 01:20:40

  • Wikipedia Defines the 'Same Origin Policy' as: the same origin policy is an important security concept for a number of browser-side programming languages such as JavaScript. The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites.
  • For example you visit a website and part of the page is retrived from the server you visit and then to complete the rest of the page the browser goes to another server to get the rest of the content. Like when ads are retrived from Google to be displayed on a page alongside other content.
  • It's crucial that the various components that are coming from different origins not be able to touch each other
  • Otherwise there's possibility for something malicious in one of these things sourced from one origin to reach in and modif content in a different origin.
  • Anytime a web server is accepting stuff from users, it is truly crucial and really unappreciated that it must then serve that back from an entirely different domain.
  • Microsoft's Law No. 4 of Internet security says, if you allow a bad guy to upload programs to your website, it's not your website anymore.

Sponsors

Ford Sync

Go To Meeting

Audible

Picks

Audibledotcom.png
Mona Lisa Overdrive by William Gibson (UNABRIDGED)
Narrated by Jonathan Davis

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.