[FoRK] The Year That Security Collapses Completely

Joseph S. Barrera III joe at barrera.org
Tue Jan 12 13:29:39 PST 2016


> we have 0-days.

Faildate: 21:36-27MAR2003  03:14-19Jan2038
Downlimit: 193013:26:03
:02
:01
:00

On Tue, Jan 12, 2016 at 1:02 PM, Gregory Alan Bolcer <greg at bolcer.org>
wrote:

> I was going to write an update, but there is too much.
> Let me sum up:  Humperdink is about to marry the princess and we have
> 0-days.
>
> On Tue, Jan 12, 2016 at 11:57 AM, Joseph S. Barrera III <joe at barrera.org>
> wrote:
>
> > Greg, you have predicted something like the subject line (I forget your
> > exact phrasing), but I don't think it exists. Security will just get
> worse
> > monotonically every year, forever. Like the boot stomping on the face in
> > 1984.
> >
> >
> >
> http://arstechnica.com/security/2016/01/google-security-researcher-excoriates-trendmicro-for-critical-av-defects/
> >
> > https://code.google.com/p/google-security-research/issues/detail?id=693
> >
> > Excerpt:
> >
> > I spent a few minutes trying to understand how the SB shell worked,
> > and then realized they were just hiding the global objects. I sent
> > this annoyed follow up:
> >
> > This thing is ridiculous, wtf is this:
> >
> https://localhost:49155/api/showSB?url=javascript:alert(topWindow.require(
> > "child_process").spawnSync("calc.exe"))
> >
> > You were just hiding the global objects and invoking a browser
> > shell...? ...and then calling it "Secure Browser"?!? The fact that you
> > also run an old version with --disable-sandbox just adds insult to
> > injury.
> >
> > I don't even know what to say - how could you enable this thing *by
> > default* on all your customer machines without getting an audit from a
> > competent security consultant?
> >
> > You need to come up with a plan for fixing this right now. Frankly, it
> > also looks like you're exposing all the stored passwords to the
> > internet, but let's worry about that screw up after you get the remote
> > code execution under control.
> >
> > Please confirm you understand this report.
> > _______________________________________________
> > FoRK mailing list
> > http://xent.com/mailman/listinfo/fork
> >
>
>
>
> --
> greg at bolcer.org, http://bolcer.org, c: +1.714.928.5476
> _______________________________________________
> FoRK mailing list
> http://xent.com/mailman/listinfo/fork
>


More information about the FoRK mailing list