So I'm in the speakers lounge and so far today we've had MarkRuss talk at some length about what are and are not considered 'security boundaries' in Windows. For example, user sessions are a security boundary. Virtual Machines are a security boundary. Various 'Defense in Depth' technologies like UAC, IEPM (protected mode), session 0 service isolation, KMCS and PatchGuard are not. It was a great talk as usual. Now I'm watching Roberto Preatoni (WabiSabiLabi - aka 'zero bay') explain to us why he thinks his "security marketplace" is such a great thing . . . next Kaminsky is going to do a talk on DNS which should be highly entertaining - Dan's a great speaker.
Here are some security related things going on today that I find interesting.
- Google vulns including a nasty Gmail one: http://blogs.zdnet.com/security/?p=539
- Apple vulns added to Metasploit (i.e. iPhone modules): http://www.darkreading.com/document.asp?doc_id=134869&f_src=darkreading_section_296 - note that it sounds like H.D. has some 0-days for the iPhone. 🙂
Wow - Apple just released their most recent update for the iPhone fixing 10 CVEs: http://docs.info.apple.com/article.html?artnum=306586 What's interesting about the iPhone is that people don't seem to realize they are carrying OSX running as root in their pocket.
- VMWare vulns announced: http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html (I counted 20 CVE's being announced / fixed in that update - holy crap!).