[FoRK] The Year That Security Collapses Completely

Gregory Alan Bolcer greg at bolcer.org
Tue Jan 12 13:02:53 PST 2016


I was going to write an update, but there is too much.
Let me sum up:  Humperdink is about to marry the princess and we have
0-days.

On Tue, Jan 12, 2016 at 11:57 AM, Joseph S. Barrera III <joe at barrera.org>
wrote:

> Greg, you have predicted something like the subject line (I forget your
> exact phrasing), but I don't think it exists. Security will just get worse
> monotonically every year, forever. Like the boot stomping on the face in
> 1984.
>
>
> http://arstechnica.com/security/2016/01/google-security-researcher-excoriates-trendmicro-for-critical-av-defects/
>
> https://code.google.com/p/google-security-research/issues/detail?id=693
>
> Excerpt:
>
> I spent a few minutes trying to understand how the SB shell worked,
> and then realized they were just hiding the global objects. I sent
> this annoyed follow up:
>
> This thing is ridiculous, wtf is this:
> https://localhost:49155/api/showSB?url=javascript:alert(topWindow.require(
> "child_process").spawnSync("calc.exe"))
>
> You were just hiding the global objects and invoking a browser
> shell...? ...and then calling it "Secure Browser"?!? The fact that you
> also run an old version with --disable-sandbox just adds insult to
> injury.
>
> I don't even know what to say - how could you enable this thing *by
> default* on all your customer machines without getting an audit from a
> competent security consultant?
>
> You need to come up with a plan for fixing this right now. Frankly, it
> also looks like you're exposing all the stored passwords to the
> internet, but let's worry about that screw up after you get the remote
> code execution under control.
>
> Please confirm you understand this report.
> _______________________________________________
> FoRK mailing list
> http://xent.com/mailman/listinfo/fork
>



-- 
greg at bolcer.org, http://bolcer.org, c: +1.714.928.5476


More information about the FoRK mailing list