I didn’t worry too much about the update process. I know it can take some companies months or even years to release new patches for vulnerabilities in their products, which most of the time is completely unreasonable. Then, a little more than two weeks later, I received an email from that same Ipswitch representative informing me that a new release of WS_FTP was available and the date in the Help->About window should say Sept 18th (10 days after we discussed the vulnerability). What an excellent example of how vendors should handle security issues within their products.

Fast response, efficient security policy, good business. Thanks Ipswitch!

-

Expose the security holes in your products during development. Black Box Testing makes it safer!

New exploits for the “Linux NULL pointer dereference due to incorrect proto_ops initializations” vulnerability have been released, here and here. I just tried the second one out myself on a (currently) fully updated Ubuntu Jaunty workstation, with (_default_) successful results.

linux@ubuntu:~/2009-proto_ops$ sh run.sh
run.c: In function ‘main’:
run.c:13: warning: missing sentinel in function call
padlina z lublina!
# id
uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev)
# exit
linux@ubuntu:~/2009-proto_ops$

A reliable local root exploit for that affects all linux kernels 2.x. Feels like 2003 all over again :X

-

Make your website safe from SQL Injection attacks. Signup for a daily penetration testing to protect your network!

-

Expose the security holes in your products during development. Black Box Testing makes it safer!

You can check it out here.

Now we have something to keep us busy while the net neutrality debates are going on…

-

Let the experts make sure your website is safe. Vulnerability Assessment is the answer.

From the looks of it, T-Mobile has been hacked and the goods stolen.

They also seem to love running HP-UX.

-

Is your site safe from SQL Injection attacks? Use an SQL Injection Scanner on a daily basis to protect your network!

An exploit for the denial-of-service-considered remote SCTP vulnerability in the linux kernel has been released.

http://sgrakkyu.antifork.org/sctp_houdini.c

The exploit contains multiple targets and covers 32/64 bits architectures… play time started this morning =X

-

Is your site safe from SQL Injection? Website Security Audit is the way to protect your network!

We have received your request to join the puitika
group hosted by Yahoo! Groups, a free, easy-to-use community service.

This request will expire in 7 days.

TO BECOME A MEMBER OF THE GROUP:

1) Go to the Yahoo! Groups site by clicking on this link:
http://groups.yahoo.com/i?i=oyhn042ed3ckqjsszqpggnyd5xxe0l1b&e=0xjbrown41%40gmail%2Ecom

(If clicking doesn’t work, “Cut” and “Paste” the line above into your
Web browser’s address bar.)

-OR-

2) REPLY to this email by clicking “Reply” and then “Send”
in your email program

If you did not request, or do not want, a membership in the
puitika group, please accept our apologies
and ignore this message.

Regards,

Yahoo! Groups Customer Care

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

-

Is your site safe from SQL Injection attacks? Use an SQL Injection Scanner on a daily basis to protect your network!

0day exploits for Internet Explorer, Firefox, and Safari were used to own machines at the Pwn2Own contest @ CanSecWest 2009. Is now the time for someone to port Windows 3.1 to MIPS and install a good telnet client? Roffles.

Credit www.dailygalaxy.com for the fierce FF/IE photo

-

Let the experts make sure your website is safe. Vulnerability Assessment is the answer.

Getting real money for computer security research is making its way from early development and ideas to mainstream, and bug hunters probably have mixed feelings, like teenagers. Its an interesting concept that might actually work. What will become of the vulnerability market when something like this becomes popular?

Either way, these guys are basically saying no more freeloading, Mr. Vendor.

-

Is your site safe from SQL Injection? Website Security Audit is the way to protect your network!

uCon Security Conference 2009 materials have been released!

-

Is your site safe from SQL Injection attacks? Use an SQL Injection Scanner on a daily basis to protect your network!

According to this thread, DJBDNS’s security has officially been broken. A patch is available and the reward for the bug by Mr. Bernstein will be awarded to Matthew Dempsky. Quoting from the thread:

“If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com. This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.)

Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.

The next release of djbdns will be backed by a new security guarantee. In the meantime, if any users are in the situation described above, those users are advised to apply Dempsky’s patch and requested to accept my apologies. The patch is also recommended for other users; it corrects the bug without any side effects. A copy of the patch appears below.

—D. J. Bernstein

Research Professor, Computer Science, University of Illinois at Chicago”

I still believe Georgi Guninski’s bug was enough for a reward, but oh well. I wonder what the “new security guarentee” will be, anyway.

-

Expose the security holes in your products during development. Black Box Testing makes it safer!

Emails from seemingly no where and from no one trustworthy.. haha
“Dear Hacker,

Manish from this side, i have a good hacking project on linux machine, configuration are below: please considue and if u are able to hack  this system our company can pay whatever u want.  or creat custom exploit that provide reverse shell . this server is online [ip address will be dilivered after project accepted by you] after u hack this system u just provide screen shot of any email header from any user on this server…I am sending you some details that are helpful for you.

Linux 2.6.18, sendmail: 8.13.1, apache 2.0.52, and open webmail 2.52

Suspected open ports:
25, 111(rpc), 443, 1720(SIP), 870(unkwon), 80, 79(finger), 110(pop), 143(imap),
3333(dec-notes), 4444(krb524)

and system is protected by firewall have ttl of system is: 53
Network distance: 10 hops.

Send me mail if u are ready to accept this challenge with project cost and time, so after i send IP address of live server, and money will be dilvered by Wire of paypal or bank transfer, any option that u want.”

-

Make your website safer. Use an external vulnerability scanner. Nothing to install, zero maintenance!

-

Make your website safe from SQL Injection attacks. Signup for a daily penetration testing to protect your network!

And you thought this day would never come… read more here.

No, this is not a joke

-

Is your site safe from SQL Injection attacks? Use an SQL Injection Scanner on a daily basis to protect your network!

Adobe Acrobat, at least the reader, has been owned. Again. So Surprising.

The good news is that Xpdf probably isn’t vulnerable

-

Expose the security holes in your products during development. Black Box Testing makes it safer!

Kaspersky’s USA website was hacked by SQL injection. Maybe they should hire some virus writers to secure their website, or better yet, a good penetration testing team.

Grab more details about the incident here.

-

Make your website safe from SQL Injection attacks. Signup for a daily penetration testing to protect your network!