This week in Infosec - 2008-09-15
A snapshot of what’s been talked about in the IT Security realm over the past week.
Attack Vectors/Trends
This weekend I was listening to an episode of hmm… I think it was SecuraBit.
In any event, they spent some time talking about something I have posted about before: GIFAR.
GIFAR is combining Java JAR applets inside a GIF image.
When I first heard of it, I thought it was a neat vector, but didn’t fully consider the threat until I was listening to the podcast.
How many sites let users upload a profile image? Or how many social networking sites allow people to upload images and make galleries?
So, this bug is back on the radar.
News and Analysis
Microsoft, Apple, and age old bugs
This week @RISK listed a series of Microsoft image processing buffer overflows.
Buffer overflows. Yep, you heard it right.
Microsoft still doesn’t get it. Boundary checking is to a software developer what firewalls are to a network admin.
Shame on you, Microsoft.
The part that really gets my goat on this is that these are being discovered by researchers. Not by Microsoft. You can run automatic code checkers that will tell you that you have assignments with improper bounds checking.
This means that not only have Microsoft’s developers not gotten the clue, but also that Microsoft isn’t even doing the due diligence to do automated validation.
Fail.
Now, to be fair, there are several similar bugs this week in Apple products, including both host OS and iPhone.
But Apple is not enterprise ready, and it should not be used in the enterprise, and if it is, you get what you get.
Microsoft, on the other hand, explicitly bills themselves as the enterprise product. I expect more.
Google Chrome
I wrote a little about Chrome in last week’s This Week in Infosec.
Many more bugs have been discovered.
This is odd coming from Google that traditionally has pretty tight code.
Either they were rushing to market, or hoping that the community would debug for them.
Either way, they lost credibility with me. Yes, it’s still beta software, but some of these bugs are pretty basic stuff, like buffer overflows, which are insanely easy to find in the code.