Today’s Fail Open Goat Award goes to – Microsoft


Sometimes . . . we fail (shocking – I know, but bare with me please). 🙂


So a seceurity researcher who goes by the name Liu Die Yu seems to have unraveled the mystery of the recent Apple Safari carpet bomb fail that we released an advisory on and how it can be used to achieve the goal of running arbitrary code when combined with another “undisclosed” vulnerability – one that was apparently reported in 2006 by Aviv.


You can read all the gory details here: http://www.pcworld.com/businesscenter/article/146946/safari_carpet_bomb_attack_code_released.html


Sucks . . . securing the planet is like . . . hard and stuff.


Comments (1)

  1. Alun Jones says:

    Can you please use the "hacked web site creates shortcut that looks like a bona-fide file" portion of this as reason to make Explorer’s default be to show all extensions on all files, please?

    I know there’s a more significant and automatic hole here, in the Dll behaviour that Liu Die Yu points out, but I figure you guys are already taking care of that – the behaviour of hiding extensions is also confusing to the user, with the consequence that they run executables, believing them to be text files, etc.