Evan Martin (evan) wrote in evan_tech,
Evan Martin

security continues to be hard

I hang out with a guy who knows tons about security and he occasionally forwards me interesting stuff:

1) Apparently the Windows .ani bugs weren't completely fixed, and even manages to evade all the protections built into Vista. I feel sorta bad for whoever screwed this up because I'm sure they're getting plenty of criticism already, but it's pretty surprising to me that the entire module wasn't reviewed when the last exploit came out. Maybe it's naive of me (maybe there's a lot of code to review?) but you'd think you could at least check all values that come in from an external file to be sure they're the size you expect.
(The Metasploit blog goes into detail on this can exploit Vista.)

2) Heap Feng Shui in JavaScript. I haven't read it all yet but it's pretty incredible to see the range of knowledge used here: from Javascript to IE garbage collection to OLE memory management all the way down to the C++/assembly-fu I previously thought were the entire domain of security. Just thinking about this tiny snippet gives me the heebie-jeebies in its level-crossing: var nop = unescape("%u9090%u9090");

Every time I ask security people about the state of the world, they tell me it's getting worse and that the only answer is to not use a computer. :(

  • livejournal kids

    Neat image from Jack Dorsey. Every so often someone will ask me about Twitter and I'll dig up a a random day from Brad's LJ in 1999 and talk about…

  • ljrb release 0.3.1

    LiveJournal Ruby module update: This release won't die when the "useragent" property is present in an entry. I've also added support for passing…

  • ljrb 0.3.0

    ljrb 0.3.0: This release adds support for the "current_location" field and fetching friendofs in the same request as fetching friends. There's also…

  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.