security

Google Earth

OK, I heard lots and lots of stuff about Google Earth so far. Yesterday, I actually installed it on some not-so-free-OS box and gave it a try. Two things are floating on my mind now:

  1. w00t!
  2. This is the scariest shit one can imagine!

I "browsed" different parts of the world and got more and more fascinated... and scared. For instance you can see the Statue of Liberty, and if you zoom in enough, you see people walking around on liberty island! Nice on the one hand, major security and privacy problem on the other hand.

There are loads of interesting ways to use Google Earth, e.g. over at Google Earth Hacks. I'm afraid most of my spare time during the next few days has just crumbled to dust... Now, if they would only port it to Linux, that'd be really nice...

Drupal 4.6.3 / 4.5.5 Fixes Critical Security Issue [Update]

Everyone using Drupal should upgrade ASAP to the new Drupal 4.6.3 (or 4.5.5 if you're running 4.5.x), as a serious security vulnerability has been found in the third-party XML-RPC library Drupal ships with. I sent the security advisory to Full-Disclosure, Bugtraq and the phpsec mailing lists, so hopefully everyone will notice and upgrade.

Note: This is not the same issue as the one which was fixed earlier!

Update: Heise has more information about the issue, now.

Drupal security.module

I released a first version of my Drupal security.module yesterday. The module is sort of an intrusion detection system for Drupal sites. It helps the site admin to check and ensure the security of his Drupal installation. Read my original announcement for more details.

The code is in ALPHA stage, so don't expect everything to work, yet.

I Adopted bfbtester

As of today, I have adopted the bfbtester Debian package (a tool to perform quick, proactive, security checks of binary programs). I have already blogged about bfbtester in the past, and used it recently to find a security-related bug in a setuid package (which is hard to exploit, though).

I have uploaded an updated bfbtester package to unstable a few minutes ago. It should reach your favorite mirror, soon.

Exploited Exploits

Someone on the security mailinglist Full-Disclosure has posted an interesting warning regarding proof-of-concept exploit code. It seems that multiple published exploits have been replaced with more malicious versions by unknown attackers.

The attackers replaced the shellcode in the demo exploits (which usually opens a root-shell) with more malicious versions like 'rm -rf /*'. As such shellcode usually consists of hex-encoded assembler instructions, most people don't have the slightest chance to understand it, and hence cannot verify what it really does. People who want to "just try out whether I'm vulnerable", might end up with a wiped hard drive (or worse).

The lesson (one of them, that is) we should learn here is to never execute any code we don't trust and/or fully understand.

(via Heise)

Syndicate content