Security Now 221
Guest: John Graham-Cumming
Recorded: November 3, 2009
Published: November 5, 2009
News & Errata
06:40 - 18:00
- Firefox had an update last week which fixed:
- A problem where a users form history could be stolen
- A crash with recursive web-worker calls
- A crash in Proxy Auto-configuration regular expression
- A heap buffer overflow in the GIF color image map parser
- A Chrome privilege escalation bug
- A heap buffer overflow in string-to-number conversion
- A cross-origin data theft through document.getselection problem
- A download filename spoofing with RTL override problem
- Memory safety bugs
- Crashes with evidence of memory corruption
- Firefox 3 will no longer be supported after January 2010
18:01 - 18:25
- Opera has been updated to version 10.01
18:26 - 22:43
- Scientists from Wake Forest University and the Pacific Northwest National Laboratory have created an army of digital ants and their superior officers, digital sergeants and sentinels, to search out viruses, worms and other malware.
25:15 - 27:50
- Adobe updater installed a demo of 'Natural Reader' on Steve's computer without asking and with no apparent way of removing it
27:51 - 28:58 Martin (Unknown)
A listeners print server started acting funny and after rebooting it, it wouldnt boot into Windows. He ran Spinrite on it and it fixed the problem.
30:00 - 01:18:20
30:00 - 43:53
- John gave his talk at the Virus Bulletin Conference in Geneva in September 2009
35:20 - 43:54
- At that time there were two big concerns:
- There was a worry that a malicious website might attack your computer.
- There was also a concern one website could interact with another
- John thinks the second concern is the most important one today
- When websites get peices of code from lots of different website it puts them all together and they can interact with each other and call each others functions and look at the variables
- So if you were able to compromise one of the scripts you could take over the whole website
- If a script has been compromised and you are loading the website over HTTPS:
- In Internet Explorer you are asked if you want to continue
- In Firefox and Safari the page will not load
43:55 - 47:00
- So nobody should have been able to get it
- Now it had no name, so you couldn't in the language go and poke at it and say give me the list.
- So it looked like it was safe to do this.
- In an object-oriented system, you have something which says I'm making a new object, and at that point sets up memory and things like that.
- And you can go into this prototype thing and actually redefine things which to many people they would think are inherently not changeable.
- And one of the things you could redefine was what we call the "setter," which is the thing that actually sets the values that go into this object. * And what it was possible to do, if you redefined the setter for the global object, then when this Twitter status thing got loaded, even though it had no name and was essentially anonymous, it had to get constructed and set.
- And in that moment you could grab its contents.
47:01 - 52:40
52:41 - 01:05:34
- Back in the Netscape 3.0 days there was talk about signing Javacript scripts but it hasn't gone anywhere
01:05:35 - 01:18:20
- Steve and John recommend using NoScript in Firefox
Go To Assist
- Go To Assist
- Ad Time: 00:48-01:02 and 03:01-05:12
- Ad Time: 00:35-00:46 and 22:41-25:04
- Ad Time: 01:03-01:12 and 01:05:35-01:08:26
|More Information Than You Require by John Hodgman (Unabridged)|
Narrated by John Hodgman, Dick Cavett, Jonathan Coulton, Zach Galifianakis, Ricky Gervais, Ira Glass, Robin Goldwasser, Rachel Maddow
- Edited by: Tony
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|