Penetration Testing mailing list archives
RE: New article on SecurityFocus
From: "Derick Anderson" <danderson () vikus com>
Date: Mon, 9 Jan 2006 09:48:44 -0500
-----Original Message----- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[snip]
What we need here is education of why we shouldn't be blindly clicking like we are. When you buy a new computer...where is the security education from the Best Buy or Dell?
If users could be educated it would have already been done by now. I can't take credit for that opinion as Marcus Ranum (http://www.ranum.com/security/computer_security/editorials/dumb/) said it first. I think it's funny that you bring up Dell and Best Buy when Microsoft is the one with an EXECUTABLE image format. There have been quite a few image vulnerabilities in the last year or so but I don't remember any of them resulting from the built-in ability to execute code.
But to say this is "It's probably bigger than for any other vulnerability we've seen" http://money.cnn.com/2006/01/03/technology/windows_virusthreat /index.htm?cnn=yes Gimme a break... it didn't stop the Internet [SQL Slammer], it didn't shut down entire businesses [Blaster], but it did freak out the Security community.
From what I can tell, Slammer wasn't a 0-day and neither was Blaster (at
least the first set of worms). If memory serves, Slammer was the result of admins not applying a patch from Microsoft available months before the worm was released. Since then Microsoft patching has vastly improved and admin paranoia has gotten worse. The scariest thing about WMF is that it targets user interaction using what used to be the most innocuous file format besides plain text. Users are the hardest part of the network to secure - and with WMF it just takes one click. Derick Anderson ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: New article on SecurityFocus, (continued)
- RE: New article on SecurityFocus Erin Carroll (Jan 06)
- Re: New article on SecurityFocus Socrates (Jan 07)
- RE: New article on SecurityFocus Murad Talukdar (Jan 09)
- RE: New article on SecurityFocus Murad Talukdar (Jan 09)
- RE: New article on SecurityFocus Brady McClenon (Jan 06)
- Re: New article on SecurityFocus Robin (Jan 06)
- RE: New article on SecurityFocus Jim Clausing (Jan 07)
- RE: New article on SecurityFocus Erin Carroll (Jan 07)
- Re: New article on SecurityFocus Drew Simonis (Jan 07)
- Re: New article on SecurityFocus Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Jan 07)
- RE: New article on SecurityFocus Derick Anderson (Jan 09)
- RE: New article on SecurityFocus Brady McClenon (Jan 09)
- RE: New article on SecurityFocus Larry Seltzer (Jan 09)
- RE: New article on SecurityFocus Brady McClenon (Jan 09)
- RE: New article on SecurityFocus Richard Zaluski (Jan 09)