I haven’t been writing recently. Been kinda busy.
For those of you that haven’t heard, my wife gave birth to our baby boy last Wednesday.
His name is Paul Esler.
Start with a cage containing five monkeys.
Start with a cage containing five monkeys.
Inside the cage, hang a banana on a string and place a set of stairs under it. Before long, a monkey will go to the stairs and start to climb towards the banana. As soon as he touches the stairs, spray all of the other monkeys with cold water. After a while, another monkey makes an attempt with the same result – all the other monkeys are sprayed with cold water. Pretty soon, when another monkey tries to climb the stairs, the other monkeys will try to prevent it.
Now, put away the cold water.
Remove one monkey from the cage and replace it with a new one. The new monkey sees the banana and wants to climb the stairs. To his surprise and horror, all of the other monkeys attack him. After another attempt and attack, he knows that if he tries to climb the stairs, he will be assaulted.
Next, remove another of the original five monkeys and replace it with a new one. The newcomer goes to the stairs and is attacked. The previous newcomer takes part in the punishment with enthusiasm! Likewise, replace a third original monkey with a new one, then a fourth, then the fifth. Every time the newest monkey takes to the stairs, he is attacked. Most of the monkeys that are beating him have no idea why they were not permitted to climb the stairs or why they are participating in the beating of the newest monkey.
After replacing all the original monkeys, none of the remaining monkeys have ever been sprayed with cold water. Nevertheless, no monkey ever again approaches the stairs to try for the banana.
Why not?
Because as far as they know that’s the way it’s always been done around here.
And that, my friends, is how policy begins.
– Don’t know the original author or where this came from, but it was posted on a Listserv I belong to, and I thought it was great. If anyone knows where this originally came from, please post in the comments so I can attribute it.
However, I think this really exemplifies some points that I’ve said for years. Just because “That’s the way it’s always been” doesn’t mean that’s the way it always needs to be done. Examine the status quo, and if you can try and make it better, do so.
Categories: funny.
Security for the SMB makes sense, by Jason Brvenik
Security for the SMB makes sense.
I was off reading some older articles written on a couple of blogs that I follow looking for something in particular. Well, I never did find what i was looking for (in regards to the article itself), but I did reread this post by Jason Brvenik over at Snort.org.
This is a great article in response to another article about why small business shouldn’t invest in IPS (which is a crazy view). Jason really does a nice job of laying out the reasons why its important. Definitely worth the read, or reread if you’ve seen it before.
Categories: analysis.
IRC Statistics are back!
If you aren’t on IRC, have no interest in IRC, pay no attention to this post, but for the rest of you:
One of the features of my old website that people have asked me: “Where did this go?” was the IRC statistics.
So, they are back.. and with over two years of logs!
So check em out for the specific freenode channel that you are interested in:
- http://blog.joelesler.net/stats/snort.html
- http://blog.joelesler.net/stats/snortgui.html
- http://blog.joelesler.net/stats/dshield.html
- http://blog.joelesler.net/stats/sfire.html
- http://blog.joelesler.net/stats/razorback.html
Enjoy.
Oh, and on another note: They are still useless.
Categories: funny.
Google Wave, it’s dead. So sad.
In case you haven’t heard.
So, on Google’s “Official” Blog (which one guys? You have so many!) they announced yesterday that they are pulling the plug on Google Wave.
So sad.
I think Wave had some really good potential, but I’ll say it here, as I have said it since the beginning, Wave would have never caught on unless it replaced something else. Wave was pretty neat, it was like a Wiki, Google Docs, Gmail, Gtalk, and god-knows-what-else all rolled into one. It worked, it worked pretty well. But it didn’t replace anything for anyone. It was a “and also” technology.
Let’s Hope
Google rolls some of the technology they developed for Wave into the rest of their products. For instance, simultaneous typing. That could be useful in Gmail and Gtalk.
I think the collaboration-on-documents idea was great. That would be most useful in a corporate setting. I would have loved to use it at Sourcefire.
Design
Some of their design ideas were great.
Look at the navigation window over here on the right. Look at the shading around the box, Look at the title bar (how it can be collapsed). Look at the “+” button. It all looks very nice. It has icons, it has lots of html5 being used to shade and render it. The drop shadow, the links. Every box on Google Wave seemed to be more carefully thought out and precise. The GUI was a wonderful idea and one couldn’t very well argue with that. The scroll bar (not pictured here) was nice to use. Every pane was separated into it’s own individual boxes. You could tell there was a difference in between all of them. Take a look at this post over at lifehacker.org: http://lifehacker.com/5400644/google-wave-look-and-feel-coming-to-gmail-other-google-apps. I don’t where they got that screenshot, but that’s the way that Gmail should look! Look at the boxes, the drop shadows, the shading. The whole look and feel reeks less of a “Web App” and more of a Desktop app. It has polish. It has great design. If you take a look at a screenshot of Gmail, from my own inbox, you will see what I am talking about. Look at the panes here. Look at the navigation windows. This is not good GUI design in a web app, functional? Yes. Good looking and easier to navigate? No.
If Gmail wants to act like they are a desktop email replacement tool, they need to stop looking like “Mutt” and start looking like Wave.
In a way, I’m kind of sad to see Wave go. There was a lot of really great ideas there. I enjoyed using it.
However, I can totally see how it didn’t work for some people. It was confusing. People didn’t understand how it was different from anything else they used. As I said, it didn’t replace anything they already had, it didn’t have a “need”. When the iPhone was invented people immediately saw the “need” for it. A phone that is brilliantly easy to use. It also replaced things. It replaced their phone, it replaced their blackberry. It was simple.
Wave wasn’t simple. It didn’t replace anything, and that is why it failed. People don’t need another email system. In fact, they need less.
Now that I have these IDS events, now what?
In my full-time job I work for Sourcefire, as a Sourcefire and Snort Professional Services Consultant. I deal with a different customer every week (sometimes every day), and with each customer comes a separate set of IDS events. Customers will often tell me “this network is unlike any you’ve ever seen before”, and for the most part, they are right. While all networks consist of servers, desktops, switches, routers, firewalls, antivirus, and even IDSes, all networks are essentially the same in that respect. However, each of them pose their own unique set up and vulnerability attack-landscape. Each network is unique in this way, it doesn’t matter if you have 300,000 users on your network or 10. All that does is make your life as a security person more difficult, this is essentially a number. That number may increase lots of things, people hired to handle them, number of sensors needed, the amount of bandwidth needed, etc.
So, in dealing with the hundreds, perhaps hundreds of thousands, perhaps millions of IDS events that I see during the day on different networks, how do I deal with them? How can I get into a customer engagement and turn 400,000 events a day into 100? How do I help my customers deal with this?
My answer is: One at a time.
How do I do it? Well, I take the same fundamentals as I have applied to Getting Things Done and Inbox Zero (mostly the latter) to IDS events. In other words, for each IDS or IPS event, there is at least one (maybe multiple) outcome(s) to that event. While yes, that may seem redundant, (and it is) my point in saying that is that there should always be an outcome to any IDS event. It shouldn’t just sit. You shouldn’t just be “moving events to archive”.
You can kind of think this as a flow chart.
First -> Look at the event, let’s use this event as an example:
“POLICY Adobe FLV file transfer”
Analyze it in context, what does this event mean? It means someone is watching a flash video on the internet. Okay, big deal right? Is that allowed by policy? Look at the packet data, is it from youtube? Is watching YouTube from the corporate network allowed? Perhaps if you are on a Government network, this isn’t allowed, okay, so what next? Do I need to look at the flows around it recorded by Netflow or RNA? Do I need to look at my SIEM tool?
Second, Now comes where you ask “what relevancy does this have to my network?” If it’s a Sourcefire protected network (read: not Snort) then you might have RNA to help you perform this function. How is the impact rating on the alert? Is it high? Is the end host vulnerable to this “exploit”? The impact rating for the above event is probably pretty high, since every browser on every OS (for the most part) can watch a flash video. How old is the rule or alert? Does it cover a CVE that was patched in 2002?
Now that we know what the event is, and what relevancy it has to our network, what are we going to do about it? Well, I view this has having about four possible outcomes. Of course, this is related to Snort, so your IPS may vary. But all IPSes get better with tuning, so…
- If you are in IPS mode, do you want to block it or not?
- Threshold or Surpress?
- Edit the rule manually?
- Shut the rule off?
- Does it provide relevance to other rules?
- DO something about the alert.
1. Set the rule to drop.
This only works if you are in IPS mode, should you change the rule to drop? Do you want the traffic to go into the big bit bucket in the sky? Prevent that FLV file from being downloaded? Prevent that PDF from being downloaded, prevent that newest browser exploit? If you are in IPS mode, this is your second question after you analyze the event.
2. Threshold or Suppress?
Thresholding in Snort essentially means you still want the rule to alert, but not as much. Or not until a certain threshold is reached (or both). Suppressing means you want to turn off alerting to a certain IP or CIDR block. Say for instance an SNMP alert going to your HP OpenView server. Legit traffic, so tune it out.
3. Edit the rule.
Probably something you want to stay away from as much as possible, unless you editing your own rules. But it’s always an option to edit the rule manually to reduce false positives.
4. Turn the rule off.
Is the rule out of date? Do none of the above apply? Has it no relevance to your network? For instance, using our above example, if watching flash videos is allowed on the network, and you don’t want to track to see if people are doing that kind of thing, then shut the rule off. If you aren’t going to use the final step in this process (DO SOMETHING) then do you need the rule?
5. Is the rule providing you contextually aware information?
Some rules will make no sense on their own, but they may provide a contextual awareness to other rules. For instance, if there was a rule to watch for vulnerabilities within a certain flash video file format to exploit older versions of the flash player, that rule coupled with the above example, may provide better contextually aware alerts. You know the video was bad, but now you can refer back to the above example and perhaps see where the alert came from. Kind of a bad example, because you could do it either way, but hopefully you grasp my point.
6. DO SOMETHING.
This requires you to go mitigate the problem. Whether that be to “file a ticket” for your helpdesk to clean off spyware, clean up a botnet, perhaps you’ll need to pull forensics on the host machine, perhaps you’ll need to pull web proxy logs to get better awareness. But this is the step where you actually have to use the alerts generated by your IDS to do your job. Find the bad guy, eradicate the badness from the network, and move onto the next alert. After all, that’s the point of having an IDS or IPS right?
Following these simple steps should allow you to have a greater awareness of the alerts on the network, and perhaps actually do something about them. Getting an IDS alert and then “moving it to archive” or “marking it as reviewed” is doing nothing. Following the above ACTION steps should give you a more streamlined IDS or IPS, and then only cause your system to alerts when you need to conduct step 6, above. DO SOMETHING.
Categories: Snort, Sourcefire, analysis, security, software.
New Digg Interface Invites
I have a couple posts brewing in my head that I need to get down on paper, but in the meantime, I have 5 invites for the new Digg.com interface if anyone wants them.
First five people to send me their email address get them.
Categories: Uncategorized.
Contrary to Recent Assertions – Snort 2.9 beta has been released, and it’s awesome..
Snort 2.9 has been in the works now internally for awhile and the first beta release is out and ready for community feedback.
It’s a big release with lots of enhancements, so here are the current list of things that need to be beta tested in Snort 2.9, and I’ll expand upon them a bit:
* Feature rich IPS mode including improvements to Stream for inline deployments. A common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
This feature really does away with a lot of the old react/resp/reset code and unifies all that broken code under respond3. It also allows for RST and ICMP injection into a stream in IPS mode (more reliable than IDS), so, for example, you want to cut a session off in midstream. In regular IPS mode, we can drop the connection quietly. With the new response module we can properly inject a RST (or other close) packet into a dropped stream, resetting the connection so that the end hosts don’t have open TCP sockets. There is also a normalization preprocessor, (See README.normalize), which, essentially, cleans packets up. For example here a just a few things that the normalization preprocessor can do to TCP:
- Remove data on SYN.
- Clear the reserved bits in the TCP header.
- Clear the urgent pointer if the urgent flag is not set.
- Clear the urgent pointer and the urgent flag if there is no payload.
- Set the urgent pointer to the payload length if it is greater than the payload length.
- Clear the urgent flag if the urgent pointer is not set.
- [..]
Flexresp (Flex Response) 1 and 2 are now deprecated and a new Flexresp3 has been introduced. Flexresp3 supports ALL of the flexresp1 and flexresp2 keywords and syntax. Easy to move right over.
* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket. For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links. See README.daq for details
on using Snort and the new DAQ.
Hooray! Libpcap 1.0 is now required. Hooray Libdnet! As you can read above, Snort 2.9 adds support for nfq and afpacket. In addition to ipfw, ipq, and dump that they’ve read already. IPQ wasn’t working as well in past releases, so we replaced it with netfilterq.
* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.
This was a feature requested by one of our community people. They didn’t want to see the IPs of their proxies as Source or Destination IPs in HTTP alerts. They wanted the ability to see the “real” IPs for those proxies that support “X-Forward-For” and “True-Client-IP” header fields in their packets. This output is only available if you are using the Unified2 output method.
Those of you that are NOT using Unified2 really, really need to move to it. Older, slower, output methods are eventually going to be deprecated, so please, start your upgrades.
* A new rule option ‘byte_extract’ that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.
This was a feature requested by the community as well, it came from an email I received as a request that we add something like this in Snort. The ability to yank a value out of a packet and store it for later use with other keywords. (Unlike byte_test or byte_jump that calculates the value on the fly.)
* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.
I think that one speaks for itself, but make sure you read README.SMTP in the doc/ directory of the tarball to make sure you fully understand what this does.
* Ability to “test” drop rules using Inline Test Mode. Snort will
indicate a packet would have been dropped in the unified2 and console event log if policy mode was set to inline.
This was a feature, also requested by our community. They wanted to know, for a fact, what traffic would have been dropped had the rule in question be set to drop. Again, this output is only available in Unifed2 and console, so please start moving over!
* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule
options.
Nice feature here. Base64 decoding in a rule.
* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.
Also added into README.normalize. This is to continue to support the United States Government’s push to IPv6. In many environments, this is now mandatory.
* Added a new pattern matcher that supports Intel’s Quick Assist
Technology for improved performance on supported hardware
platforms. Visit http://www.intel.com to find out more about
Intel Quick Assist. The following document describes Snort’s
integration with the Quick Assist Technology
http://download.intel.com/embedded/applications/networksecurity/324029.pdf
This optimization is very hardware specific. Make sure you read the PDF linked above which is a joint research project underway by Sourcefire and Intel.
I’m sure more tweaks and things will be added to 2.9 before it’s actual release, so I look forward to these enhancements.
Be sure and check out Snort 2.9′s beta code here, at http://www.snort.org/
Categories: Snort, Sourcefire, software, updates.
Project Razorback has been unleashed on the World
For several months, the Vulnerability Research Team (VRT) here at Sourcefire has been heads down in coming up with a new framework for detection called Razorback, and now, it’s been unveiled to the world this this morning.
Being announced at Defcon this weekend by the VRT, so if you are in Defcon this week, reading my posts, First: Have a beer for me, as I am not there this year due to the impending birth of my child, and Second: Attend this talk. If no other talks are attended during your drunken hacking binge in Vegas, go to this talk.
OH AND BUY THE VRT BEER IF YOU MEET THEM. Mkay?
What is Razorback?
In Marketing speak: “Razorback is an Open-Source Framework for an intelligence driven security solution.” Okay, okay, what does that mean?
Razorback is a system that detects and decodes, well, just about anything you need it to. Following that, it has the ability to then block and alert on that activity. So, for example:
- Obfuscated Javascript? Decoded, Blocked?
- Bad PDFs? Decoded, Blocked?
- Bad Word Documents? Powerpoint Documents? Decoded, Blocked?
This framework is aimed primarily at these Client based attacks, and, dare I use it? Advanced Persistent Threat (APT). It was born out of necessity and a discussion with the VRT during a panel they participated in last year about detection. The community asked for something to be able to perform a function like this, and well, here it is. Better. There is nothing to combat these threats, so Sourcefire created one.
So, say for example, a PDF comes in via email. The PDF is sent to Razorback by the SMTP engine, Razorback runs it through the detection, — which I’m not even going to begin to explain here, because it’s extremely awesome and complicated, and you should go to the talk to fully understand –, and if the detection decides the PDF is bad, it will record that fact in it’s database so that all further attempts with a PDF like that one will be blocked from there on out. Now, that’s just one example.
Since Razorback is an Open-Source project and framework, anyone can write a detection “nugget” for it. These nuggets, written in C, can detect pretty much anything and provide actionable intelligence on it afterwards, and of course, since it’s Open-Source, many different “feeds” can be provided to Razorback.
SMTP, ClamAV, Snort, Web proxies, Web filtering devices, et all. They can all be written to feed data to Razorback which then can have the ability to take further action after it’s analyzation.
This is a different approach to detection than what’s been tried before. While IPS is great, it can’t really grab a PDF off the wire, reassemble it, decode it, and block it in real-time. With Razorback, Snort can grab the PDF off the wire, pass it to Razorback where it will be analyzed, and so on.
After the talk if the VRT puts their slides and more info up on their website, I’ll make sure that I post further information about it. But for now, here it is:
Here’s another article about Razorback over at DarkReading.
Categories: Snort, Sourcefire, VRT, analysis, hacking, malware, security, software.
Safari 5.0.1 Posted this morning
Back in June I wrote a post on a problem with Safari 5 creating a black background around certain objects when moved from one application to another. For instance, when you attempt to use the “Mail this PDF” function from Preview. Well, this morning Apple released version 5.0.1 of Safari. This fixes the issue I described here, along with many others. As posted on Apple’s website here, the following are fixes:
- More accurate Top Hit results in the Address Field
- More accurate timing for CSS animations
- Better stability when using the Safari Reader keyboard shortcut
- Better stability when scrolling through MobileMe Mail
- Fixes display of multipage articles from www.rollingstone.com in Safari Reader
- Fixes an issue that prevented Google Wave and other websites using JavaScript encryption libraries from working correctly on 32-bit systems
- Fixes an issue that prevented Safari from launching on Leopard systems with network home directories
- Fixes an issue that could cause borders on YouTube thumbnails to disappear when hovering over the thumbnail image
- Fixes an issue that could cause Flash content to overlap with other content on www.facebook.com, www.crateandbarrel.com, and other sites when using Flash 10.1
- Fixes an issue that prevented boarding passes from www.aa.com from printing correctly
- Fixes an issue that could cause DNS prefetching requests to overburden certain routers
- Fixes an issue that could cause VoiceOver to misidentify elements of webpages
Safari 5.0.1 also packs in a bunch of security updates. Of course Blackhat and Defcon are this week, so that may have something to do with this update being released.
Safari
Impact: Accessing a maliciously crafted RSS feed may cause files from the user’s system to be sent to a remote server
Description: A cross-site scripting issue exists in Safari’s handling of RSS feeds. Accessing a maliciously crafted RSS feed may cause files from the user’s system to be sent to a remote server. This issue is addressed through improved handling of RSS feeds.
Credit to Billy Rios of the Google Security Team for reporting this
issue.
Safari
Impact: Safari’s AutoFill feature may disclose information to websites without user interaction
Description: Safari’s AutoFill feature can automatically fill out web forms using designated information in your Mac OS X Address Book, Outlook, or Windows Address Book. By design, user action is required for AutoFill to operate within a web form. An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction. This can result in the disclosure of information contained within the user’s Address Book Card. To trigger the issue, the following two situations are required. First, in Safari : Preferences : AutoFill, the “Autofill web forms using info from my Address Book card” checkbox must be checked. Second, the user’s Address Book must have a Card designated as “My Card”. Only the information in that specific card is accessed via AutoFill. This issue is addressed by prohibiting AutoFill from using information without user action. Devices running iOS are not affected.
Credit to Jeremiah Grossman of WhiteHat Security for reporting this issue.
(Nice work Jeremiah!)
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit’s handling of element focus. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of element focus.
Credit to Tony Chang of Google, Inc. for reporting this issue.
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit’s rendering of inline elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.
Credit to wushi of team509 for reporting this issue.
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit’s handling of dynamic modifications to text nodes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management.
Credit? Apple Internal?
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit’s handling of CSS counters. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory management.
Credit to wushi of team509, working with TippingPoint’s Zero Day Initiative for
reporting this issue.
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in WebKit’s handling of the :first-letter and :first-line pseudo-elements in SVG text elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by not rendering :first-letter or :first-line pseudo-elements in SVG text elements.
Credit to wushi of team509, working with TippingPoint’s Zero Day Initiative for reporting this issue.
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit’s handling of foreignObject elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through additional validation of SVG documents.
Credit to wushi of team509, working with TippingPoint’s Zero Day Initiative for reporting this issue.
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit’s handling of floating elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management.
Credit? Apple Internal?
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit’s handling of ‘use’ elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of ‘use’ elements in SVG documents. Credit to Justin Schuh of Google, Inc. for reporting this issue.
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in WebKit’s handling of JavaScript string objects. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.
Credit: Apple.
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A reentrancy issue exists in WebKit’s handling of just- in-time compiled JavaScript stubs. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved synchronization.
Credit? Apple Internal?
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A signedness issue exists in WebKit’s handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of JavaScript array indices.
Credit to Natalie Silvanovich for reporting this issue.
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit’s handling of regular expressions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of regular expressions.
Credit to Peter Varga of University of Szeged for reporting this issue.
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit’s handling of “font-face” and “use” elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of “font-face” and “use” elements in SVG documents.
Credit to Aki Helin of OUSPG for reporting this issue.
Safari 5.0.1 and Safari 4.1.1 address the same set of security issues. Safari 5.0.1 is provided for Mac OS X v10.5, Mac OS X v10.6, and Windows systems. Safari 4.1.1 is provided for Mac OS X v10.4 systems
The thing to remember with the above vulnerabilities is that things that are labeled “Webkit”, affect more than just Safari. They could possibly affect anything using the Webkit framework. Chrome included.
Categories: Google, apple, browser, hacking, security, software, updates.
