[FoRK] The Year That Security Collapses Completely

Gregory Alan Bolcer greg at bolcer.org
Tue Jan 12 13:02:53 PST 2016

I was going to write an update, but there is too much.
Let me sum up:  Humperdink is about to marry the princess and we have

On Tue, Jan 12, 2016 at 11:57 AM, Joseph S. Barrera III <joe at barrera.org>

> Greg, you have predicted something like the subject line (I forget your
> exact phrasing), but I don't think it exists. Security will just get worse
> monotonically every year, forever. Like the boot stomping on the face in
> 1984.
> http://arstechnica.com/security/2016/01/google-security-researcher-excoriates-trendmicro-for-critical-av-defects/
> https://code.google.com/p/google-security-research/issues/detail?id=693
> Excerpt:
> I spent a few minutes trying to understand how the SB shell worked,
> and then realized they were just hiding the global objects. I sent
> this annoyed follow up:
> This thing is ridiculous, wtf is this:
> https://localhost:49155/api/showSB?url=javascript:alert(topWindow.require(
> "child_process").spawnSync("calc.exe"))
> You were just hiding the global objects and invoking a browser
> shell...? ...and then calling it "Secure Browser"?!? The fact that you
> also run an old version with --disable-sandbox just adds insult to
> injury.
> I don't even know what to say - how could you enable this thing *by
> default* on all your customer machines without getting an audit from a
> competent security consultant?
> You need to come up with a plan for fixing this right now. Frankly, it
> also looks like you're exposing all the stored passwords to the
> internet, but let's worry about that screw up after you get the remote
> code execution under control.
> Please confirm you understand this report.
> _______________________________________________
> FoRK mailing list
> http://xent.com/mailman/listinfo/fork

greg at bolcer.org, http://bolcer.org, c: +1.714.928.5476

More information about the FoRK mailing list