Wednesday, July 23, 2008

My Little Pwnie

The 2nd Annual Pwnie Award Nominaitons are up.

Some interesting bits:

Pwnie for Best Client-Side Bug Nominees

Safari carpet bomb (CVE-2008-2540)
Discovered by: Laurent GaffiƩ, Nitesh Dhanjani and Aviv Raff
Nitesh Dhanjani discovered a design error in Safari that allows an attacker to automatically download files to the user's configured download directory (~/Downloads on Leopard, the desktop on previous versions of OS X and Windows). This can be used for a variety of attacks. First, you can litter the user's desktop with files or drop malware onto their desktop, hoping that the user will click run it. Or you can just let Internet Explorer load a planted DLL
automatically. This vulnerability also has the dubious distinction of bringing the term "blended threat" into the security vernacular.


Slirpie
Discovered by: Dan Kaminsky, RSnake, Dan Boneh
Presented at Toorcon 2007, this attack used DNS Rebinding to bypass the Same Origin Policy and build a tunnel into a remote network using only a lured web browser (and its associated grab bag of Web 2.0 technologies like Flash, Java, and JavaScript). This vulnerability can best be described as a design bug in the Web 2.0 and we're all waiting for it to be fixed in Web 2.0 Service Pack 1.


Pwnie for Most Epic FAIL Nominee:

Todd Davis, Lifelock CEO for posting his SSN on the web

Todd Davis, CEO of a fraud-prevention company called Lifelock, had publicly posted his Social Security number (
457-55-5462) to show his confidence in the services offered by his company. Of course, a clever marketing stunt does not mean that the protection is actually worth anything. As expected, it did not take long for Davis' identity to get stolen: somebody in Texas got $500 from an online payday loan company using Davis' SSN.

Windows Vista for proving that security does not sell

$100,000,000 invested in security and what does Microsoft have to show for it? Customers are revolting against Windows Vista and nobody who has a choice is choosing to upgrade. It doesn't matter that Vista really is the most secure Microsoft operating system ever made, all customers care about is the annoyance of the UAC prompts, the confusing user interface and the insane hardware requirements.
The good thing about the Vista debacle is that no other vendor will care to do such a security push, which means that we'll be able to easily own any piece of software for the foreseeable future.

No comments: