Apple defuses Safari “Carpet Bomb”

Friday, June 20th, 2008

Apple has closed four security holes in the Windows version of its Safari browser with the release of version 3.1.2. The fixes include the browser's "Carpet Bomb" behaviour of placing downloaded files on the desktop by default and without asking the user's permission. In association with with Internet Explorer – ...

Site Security Policy

Sunday, June 8th, 2008

OK gang, this is one of those rare moments where feedback from community will directly influence a security feature that’ll make a real difference. First some background... About 6 months ago Brandon Sterne left a cushy infosec position at eBay for Mozilla to solve an extremely important Web security problem he ...

XSS Methods Also Seen Being Used in Mass Compromises

Sunday, June 1st, 2008

XSS (Cross-Site Scripting) Very Much Alive and Kicking We were about to investigate further on malicious activities related to banner82(dot)com/b.js but the URL was already inaccessible around Tuesday. Soon enough the malicious script in www(dot)adw95(dot)com caught our interest. A rough survey of the sites compromised by this script reveal that the ...

CSS exploit allows detection of social site use

Thursday, May 29th, 2008

Web developer Aza Raskin knows we visit Digg, Del.icio.us, Reddit and Facebook without even having to ask. No, he isn't employing privacy violating hackery, but he is exploiting a "cute" information leak in CSS that traditionally displays visited links differently than those that have yet to be visited. By loading in ...

New SQL Injection Attacks Exploit Adobe Flash Flaw

Wednesday, May 28th, 2008

Mass SQL injection attack, take four: Yet another wave of SQL injection attacks is exploiting an Adobe Flash vulnerability that appears to be coming from the same series of attacks originating from China. The intent, as in previous attacks, has been to steal online gamers’ password credentials. But given the persistence ...