Updated to WordPress 2.6.2… seems there’s a big issue with previous versions:
Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). With his help we worked around these problems and are now releasing WordPress 2.6.2. If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.
Other PHP apps are susceptible to this class of attack. To protect all of your apps, grab the latest version of Suhosin. If you’ve already updated Suhosin, your existing WordPress install is already protected from the full exploit. You should still upgrade to 2.6.2 if you allow open user registration so as to prevent the possibility of passwords being randomized.
Go download now!
This week at the Black Hat Security Conference two security researchers will discuss their findings which could completely bring Windows Vista to its knees.
Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. have discovered a technique that can be used to bypass all memory protection safeguards that Microsoft built into Windows Vista. These new methods have been used to get around Vista’s Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other protections by loading malicious content through an active web browser. The researchers were able to load whatever content they wanted into any location they wished on a user’s machine using a variety of scripting languages, such as Java, ActiveX and even .NET objects. This feat was achieved by taking advantage of the way that Internet Explorer (and other browsers) handle active scripting in the Operating System.
While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren’t based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista’s fundamental architecture. According to Dino Dai Zovi, a popular security researcher, “the genius of this is that it’s completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That’s completely game over.”
read more | digg story
Speaking yesterday at the Black Hat Security Conference in Las Vegas, Microsoft has now introduced a new group of security related programs that share advanced information with partners about upcoming security threats.
As many in the tech industry know, within hours, and sometimes minutes of monthly security patches being released, exploits are already booming for the security holes fixed by these updates. The Microsoft Active Protections Program (MAPP) will allow security software providers to provide protection to their customers quickly and effectively.
“The introduction of these new programs helps address evolving online threats and provides more practical guidance to assess and manage risk,” said Andrew Cushman, director of security response and outreach at Microsoft. “In the race between exploit and protection, Microsoft is committed to shifting the advantage to the security industry. The Microsoft Active Protections Program gives security software providers the information and resources they need to help better protect customers.”
read more | digg story
These are my daily “Good to Know” links for 07/17/08 … please enjoy:
John Wiley Price: "I don't even know what blog means" | Grits for Breakfast
As far as an elected official in 2007 declaring he doesn't know what the word "blog" means – Good God! I don't know where to begin.
'Shawshank' in a Minute | Radar Online
The Shawshank Redemption in one minute… rapped. It's awesome, trust me on this!
S.F. officials locked out of computer network | San Francisco Chronicle
A disgruntled city computer engineer has virtually commandeered San Francisco's new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday.
Zombie Garden Gnome | Gizmodo
Design Toscano wants you to "expect the extraordinary from your home and garden," and that includes the walking dead. Take this 13-lb. resin undead garden zombie, for example.
Obama bloats Vista by 11MB | The Register
We're very much obliged today to readers Hawkeye and Duncan Lilly for providing evidence that the Beast of Redmond's Vista is not the lean, mean fighting machine it really should be. Check out this "important" update warning for size.
Come back for more links tomorrow!!
These are my daily “Good to Know” links for 04/29/08 … please enjoy:
Microsoft device helps police pluck evidence from cyberscene of crime | Seattle Times
The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence. It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer.
Edge Brownie Pan | Bakers Edge
The serpentine wall shape of the All Edges Brownie Pan conducts heat better than your average baking pan resulting in more even cooking. The crazy shape also gives each piece two yummy edges,and that's where the concentrated brownie love is!
AMD launches first computer brand | CNBC.com
Advanced Micro Devices Inc on Sunday unveiled its first computer brand, aimed at small and medium-sized businesses, with design and sales help from its major chip customers such as Dell Inc.
Most Amazing Images on the Web | The Top The Best
Just collections of really good photos/macros/art from around the web. They might not all be your cup of tea, but some are quite beautiful.
Pacemaker that stimulates brain fights depression | Vancouver Sun
Two of the largest and longest studies so far show a "brain pacemaker" can effectively treat depression and obsessive-compulsive disorder (OCD), researchers said on Friday.
Come back for more links tomorrow!!
