- Asus Eee PC owned out of the box (hint runs Linux): http://www.risesecurity.org/blog/entry/6/
- Yet another Apple Quicktime 0-day posted 2 days ago: http://seclists.org/fulldisclosure/2008/Feb/0304.html
- The Wii has been pwn3d via a stack smash to run homebrew code – will Nintendo respond? Do they have an easy way to update Wiis?: http://www.engadget.com/2008/02/13/wii-pong-the-twilight-princess-hack-evolves/
- And finally Ars ponders whether or not it’s time to consider PDFs a threat: http://arstechnica.com/news.ars/post/20080212-is-it-time-to-consider-pdf-a-threat.html Gee – ya THINK!?! Hello – have people not seen what’s happened with Office over the last 2 years?
We live in interesting times . . . any code that parses input (be it web form input, binary files, bytes on the wire or the wireless air) is attack surface and exposure . . . the question is – what is the vendor who writes that code doing to make sure it’s secure and hardened and restistant to attack. Do they have a clue about writing secure code? Do they have a formal engineering process in place to find these types of vulnerabilities and fix them before they can be exploited in the wild or posted to full disclosure? Are their vuln counts trending up or down over time?