[FoRK] The Year That Security Collapses Completely

Gregory Alan Bolcer greg at bolcer.org
Tue Jan 12 13:42:02 PST 2016


Wouldn't that be a maximally negative day?  Sort of like Mondays.

Greg

On Tue, Jan 12, 2016 at 1:29 PM, Joseph S. Barrera III <joe at barrera.org>
wrote:

> > we have 0-days.
>
> Faildate: 21:36-27MAR2003  03:14-19Jan2038
> Downlimit: 193013:26:03
> :02
> :01
> :00
>
> On Tue, Jan 12, 2016 at 1:02 PM, Gregory Alan Bolcer <greg at bolcer.org>
> wrote:
>
> > I was going to write an update, but there is too much.
> > Let me sum up:  Humperdink is about to marry the princess and we have
> > 0-days.
> >
> > On Tue, Jan 12, 2016 at 11:57 AM, Joseph S. Barrera III <joe at barrera.org
> >
> > wrote:
> >
> > > Greg, you have predicted something like the subject line (I forget your
> > > exact phrasing), but I don't think it exists. Security will just get
> > worse
> > > monotonically every year, forever. Like the boot stomping on the face
> in
> > > 1984.
> > >
> > >
> > >
> >
> http://arstechnica.com/security/2016/01/google-security-researcher-excoriates-trendmicro-for-critical-av-defects/
> > >
> > >
> https://code.google.com/p/google-security-research/issues/detail?id=693
> > >
> > > Excerpt:
> > >
> > > I spent a few minutes trying to understand how the SB shell worked,
> > > and then realized they were just hiding the global objects. I sent
> > > this annoyed follow up:
> > >
> > > This thing is ridiculous, wtf is this:
> > >
> >
> https://localhost:49155/api/showSB?url=javascript:alert(topWindow.require(
> > > "child_process").spawnSync("calc.exe"))
> > >
> > > You were just hiding the global objects and invoking a browser
> > > shell...? ...and then calling it "Secure Browser"?!? The fact that you
> > > also run an old version with --disable-sandbox just adds insult to
> > > injury.
> > >
> > > I don't even know what to say - how could you enable this thing *by
> > > default* on all your customer machines without getting an audit from a
> > > competent security consultant?
> > >
> > > You need to come up with a plan for fixing this right now. Frankly, it
> > > also looks like you're exposing all the stored passwords to the
> > > internet, but let's worry about that screw up after you get the remote
> > > code execution under control.
> > >
> > > Please confirm you understand this report.
> > > _______________________________________________
> > > FoRK mailing list
> > > http://xent.com/mailman/listinfo/fork
> > >
> >
> >
> >
> > --
> > greg at bolcer.org, http://bolcer.org, c: +1.714.928.5476
> > _______________________________________________
> > FoRK mailing list
> > http://xent.com/mailman/listinfo/fork
> >
> _______________________________________________
> FoRK mailing list
> http://xent.com/mailman/listinfo/fork
>



-- 
greg at bolcer.org, http://bolcer.org, c: +1.714.928.5476


More information about the FoRK mailing list