VnutZ Domain
Copyright © 1996 - 2024 [Matthew Vea] - All Rights Reserved

2009-08-01
Featured Article

Should Vulnerabilities be Disclosed

[index] [2,131 page views]
Tagged As: Legal, Privacy, and Security

More than a month ago, security researchers Charlie Miller and Collin Mulliner informed Apple of a security bug in the iPhone's handling of SMS. However, time passed and no updates were released prior to the annual BlackHat conference. So the researchers proceeded with a demonstration of taking over an iPhone simply by crafting an SMS buffer overflow. This isn't the only threat phones are vulnerable to over SMS, others included spoofing the SMS origin and performing an over-the-air (OTA) software install. Apple waited until a day after the conference to release a patched 3.0.1 version of the iPhone software which is already capable of being jailbroken. (NOTE: The iPhone was not the only mobile handset vulnerable to the SMS attack, Windows CE, Symbian and unpatched Android devices were also susceptible to remote takeover.)

The BlackHat conference released other goodies to include a demonstration of improper SSL authentication in _most_ browsers using nothing more advanced than null characters. This allows hackers to simply register two domains concatenated with a null character (www.bankofamerica.com\0www.myfakesite.com) which makes the fake site register as authentic when the browser mishandles it. Another team of researchers demonstrated that CompuTrace, a BIOS based set of code designed to help trace stolen computers acts similar to a rootkit (albeit, a well intentioned one) but is susceptible to compromise where remote code can be loaded into the machine because malware detectors have whitelisted CompuTrace as "good" software. CompuTrace ships on virtually all laptops today.

Is the concept of disclosure vulnerability a good thing for the general public? One can take the perspective that it forces a manufacturer to patch a flaw due to public awareness (like Apple). On the other hand, a vulnerability may exist but go completely unexploited if the hacker never knew it existed in the first place.



More site content that might interest you:

Is it really even worth trying to put authentication processes into software?


Try your hand at fate and use the site's continuously updating statistical analysis of the MegaMillions and PowerBall lotteries to choose "smarter" number. Remember, you don't have to win the jackpot to win money from the lottery!


Tired of social media sites mining all your data? Try a private, auto-deleting message bulletin board.


paypal coinbase marcus