RedHat Package Signing Server – Pwnd

EDIT: Holy crap: http://rhn.redhat.com/errata/RHSA-2008-0855.html”In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and…

1

The truth about the Dowd / Sotirov Vista memory protection bypass stuff

Good short interview with Sotirov who clarifies what actually happened at Blackhat for some folks: http://blogs.zdnet.com/Bott/?p=513 He mentions some interesting stuff – like how they worked with us, we gave them feedback, worked with the other vendors etc.  I haven’t had time to read their whitepaper yet (though I will this weekend). 🙁

0

Happy Patch Tuesday – Random thoughts

The SnapShot Viewer 0-day that has seen limited exploitation in the wild is now patched – here’s an interesting write-up with some things you may not have known about it.  Here’s the deal – IE Protected Mode, while not a true defendable security boundary – is awesome and this particular vulnerability proves its worth.  This…

1

VMWare Fail Closed Goat Award

Here’s one for the schadenfreude files – VMWare users running ESX 3.5.x Update 2 will be unable to power on their machines today / tomorrow / everafter until a fix is released by VMWare to correct a licensing bug that causes legit copies of the software to expire on August 12th: http://kb2.vmware.com/kb/1006716.html.  Looks like it’s already…

0

OpenID Fail Open Goat Award

Really interesting that CRL checks aren’t baked into a lot of open source OpenID providers: http://www.links.org/files/openid-advisory.txt Sun has already updated their web site with this disclaimer: Security Issues OpenID is an untrusted protocol. Sun has no liability for what happens to any information you give to a third-party web site using this service. Most OpenID-enabled…

0

We’re going for an Olympic Silver(light)

Sort of an interesting story on how it came to be that Microsoft Silverlight was chosen to broadcast the Olympics via the series of interconnecting tubes: http://news.cnet.com/8301-13860_3-10003752-56.html?tag=nefd.lede I’m guessing Silverlight supports our VC-1 codec which rules them all . . . I recently used Expression Encoder 2.0 to encode a 1 hour DVR-MS file (an…

0