- +
Adobe launches hosted services, adds Flash to Acrobat 03 June, 2008 09:02:44
Adobe to launch Web site offering users free hosted services for document creation, sharing and storageAdobe this week is set to unveil the next version of its Adobe Acrobat software, which adds support for the company's Flash multimedia technology. The company also plans to launch a new Web site offering users free hosted services for document creation, sharing and storage.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Newsletter Subscription
In 1996 it was Aleph One's astounding paper, "Smashing the Stack for fun and Profit" that introduced a generation of Information Security researchers, and eventually the world at large, to the inherent exploitability of buffer overflows and introduced techniques that would form the basis of proving that a vulnerability was exploitable (as well as the basis of any number of exploits themselves).
In 2008 it is Mark Dowd's paper "Application-Specific Attacks: Leveraging the ActionScript Virtual Machine" that looks set to have a similar effect on the field of Information Security. Already the small but growing group of Information Security experts that have had the chance to read and digest the contents of the paper are expressing an excited concern, depending on how they are interpreting the contents of the paper.
If your local expert doesn't seem jumpy or on edge, then it is more than likely that they have not had the chance to read or comprehend the scope of what has been presented in the paper.
While the Flash vulnerability described in the paper has been patched by Adobe it is the presentation of a reliable exploit for NULL pointer [[xref:http://www.owasp.org/index.php/Null-pointer_dereference |dereferencing|new]] that has the researchers who have read the paper excited.
In simple terms a NULL pointer dereference is when a software application tries to access a memory address that has been declared to have the value NULL (a special value that tells software that there is nothing there, as there is a real but critical difference between '', ' ', '0', NULL, or any other number of means of representing nothing). In most cases, the application should stop running and crash whenever a NULL value in memory is accessed by the program, but it has been found that it is possible to force some applications to access and execute arbitrary memory locations whenever a NULL pointer is accessed. The only problem has been that it was considered extremely difficult to achieve, and not so easy to develop a generic approach for. That has now changed, with Dowd effectively providing a framework that could be used to probe for exploitable NULL pointer dereferences across multiple platforms - essentially a generic attack / vulnerability finder for this class of vulnerability.
By effectively opening up this class of vulnerability for much easier investigation and attack (attacking memory flaws is still a difficult job) it is going to lead to a rush to develop tools to automate the process of looking for this type of flaw and correcting or exploiting it depending on the approach of the developer. While it was known that buffer overflows were best avoided prior to Aleph One's paper, it wasn't really until after the paper that people really understood the risks associated with them. This paper is likely to do the same for NULL pointer dereferencing.
If NULL pointers are so dangerous, why do developers continue to use them? There is really nothing better for declaring that there is nothing there and it is a useful initial setting for software variables as it ensures memory is available for when there are real values to be entered into memory by the application.
Aside from the sheer technical brilliance of the whitepaper, what has many amazed is how Mark utilises a number of innovative steps to force Flash to overwrite its own runtime code in memory such that he then controls how code can then access and manipulate the local system, running as both interpreted code and system level instructions inside the same small attack package.
With careful design, what Mark has presented is not far off being cross platform and if it had been used to attack systems rather than demonstrate the vulnerability that had been patched, then it could have been one of the most dangerous pieces of code since the Morris Worm. By publicly sharing what he has discovered, Mark is encouraging greater awareness of this particular vulnerability class and research into its risks.
Mark politely declined to be interviewed for this article, citing terms of his employment, but was pleased to see that information about his discovery was being spread to the widest audience possible.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00
Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00
Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05
Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
- +
Cutting Through the Spin of Recent Vulnerability Disclosures 13 October, 2008 10:53:00
The FUD surrounding the ClickJacking and TCP/IP vulnerabilities has the world seemingly frozen in fear. But once you cut through the spin, the vulnerabilities aren't all that they were made out to be.There are a few highly publicised vulnerabilities at the moment which haven't completely been disclosed and which, it is claimed, could threaten the whole Internet as-we-know-it. Only, when the vulnerabilities are finally disclosed, it seems that the whole incident has been somewhat Chicken Little. - +
PCI app security: Who's guarding the data bank? 13 October, 2008 11:09:00
Compliance strategies for PCI's new application security requirementsWhile Willy Sutton never really said it, the truth is that people rob banks because that is where the money is. Today's criminals don't walk into banks with loaded guns and get-away drivers. Rather they connect from a remote location using a browser and are armed with hacking tools and spyware. - +
Data-center security tools to not overlook 10 October, 2008 11:37:00
With the rise of security suites, it's time to consider some emerging security tools and rethink othersProtecting a corporate data center is like trying to keep an elephant safe from a swarm of flies. Despite your best efforts, bites happen. As the staples of security -- such as firewalls, antivirus software, spam and spyware filters -- come together in suites of products that allow for sophisticated management, there are other security tools either emerging or worth a rethink. - +
IBM, Secret Service, others study identity/cybercrime issues 09 October, 2008 10:09:00
Center for Applied Identity Management Research organization teams experts in criminal justice, financial crime, biometrics, cybercrime and cyberdefense, data protection, homeland security and national defense.IBM, LexisNexis and the Secret Service are among a group of corporations, government agencies and academic institutions that has formed to study and help solve identity management challenges around cybercrime, terrorism and narcotics trafficking. - +
Strange account management at Amazon 09 October, 2008 09:51:00
A careless login led to the discovery of some strange ccount management practices at one of the Internet's largest retailers.Via the RISKS mailing list comes an interesting tale of poor online account management at a major online retailer. According to Graham Bennett, accounts with Amazon display an odd behaviour that doesn't seem to have attracted much attention in the past.
NetStar Networks Calls Brisbane Home 13 October, 2008 12:01:00
New Verizon Business Managed Service Makes Collaboration Easier 13 October, 2008 10:06:00
F-Secure achieves excellent results in Internet security suite comparison 10 October, 2008 14:37:00
Lock It Up With Maxtor BlackArmour, Hardware Encrypted Storage Provides Government Grade Security For Consumers 10 October, 2008 09:04:00
Pitney Bowes MapInfo Launches New Version of AnySite 10 October, 2008 05:58:00
|
||
|
||
|
|
||
|
Radicati Market Quadrant 2008 on Corporate Web Security
An Analysis of the Market for Corporate Web Security Solutions, revealing Top Players, Mature Players, Specialists and Trail Blazers. Read on to discover who makes the grade.
Subscribe to CIO
