Stefan Esser announced earlier this week that he was retiring from email@example.com citing irreconcilable differences with the PHP group on how to respond to security issues within PHP. Of particular interest is that he will be making changes to how he handles security advisories for PHP (emphasis mine): For the ordinary PHP user this means…Read More When Security Collides With Engineering (Responsible Disclosure Redux)
I wasn’t going to join the debate on relative merits of Dave Maynor/Johnny Cache’s disclosure of vulnerabilities in device drivers at Black Hat 2006, but Bruce Schneier’s post calling it Faux Disclosure, has annoyed me enough that I feel obliged to comment now. In particular he says: Full disclosure is the only thing that forces…Read More "Faux" Disclosure
Yesterday, DaveG posted “When OSX Worms Attack” Its some good analysis of the three Apple Worms: Safari/Mail Vulnerability: Far more interesting. This is a serious vulnerability that needs to be fixed. If you are Mac user, I would at the very least uncheck ‘Open Safe Files’ in Safari preferences. I don’t understand why Apple isn’t…Read More Your Apple-Fu Is Impressive!
Nothing we ever create, especially software, is ever perfect. One of the banes of professional systems administrators is the software update process, and the risk trade-offs it entails. Patch with a bad patch and you can crash a system; fail to patch soon enough, and you may fall to a known attack vector. The mobile…Read More Updating Windows Mobile Phones
Oracle has just released fixes for 82 vulnerabilities. After taking several paragraphs to say “Many experts external to Oracle feel that patches for critical vulnerabilities are too slow in coming from the esteemed database giant, and have criticized the company for its slowness in responding to reports originating with outsiders”, Brian Krebs notes that security…Read More Known unknowns?
Courtesy of IDA Pro developer Ilfak Guilfanov. Details are available via his web log, the existence of which I learned via the seemingly indefatigable Thomas Ptacek of Matasano.Read More WMF Vuln fix
Ben Edelman explains how Sony can use a messaging mechanism already built into the XCP system to inform people who are not yet aware of the “Sony rootkit” they’ve unwittingly installed, and what they can do about it. This is so obviously the right thing to do that I can almost guarantee Sony will not…Read More A great idea whose time has come
“On March 8th, 2005, the Microsoft Security Response Center is planning to release no new security bulletins,” the Redmond, Wash.-based developer said on its Microsoft Security Bulletin Advance Notification Web site Thursday morning. (Via Information Week, via ISN)Read More Congrats, Microsoft
David Akin says CIBC is getting sued for faxing information around. Prior posts are “Privacy Lessons from CIBC and Canadian privacy law & CIBC. 19 days after the vulnerability was announced, Mozilla releases Firefox 1.01.Read More Quick Followups