pl
en
Blog
Part 1: Why implementing cryptography isn’t trivial?
2012-02-06 14:56
Correct (read: safe and secure) use of cryptographic functions in your own code isn’t trivial. Here is a proof in form of short typical security issues list we come across during code audits:
- Use of insecure cryptographic functions or random function to initialize other crypto components
- Incorrect placement and handling of cryptographic components within application architecture
- Insecure handling of sensitive data in open form
One of reasons of above mistakes is lack of knowledge required to implement cryptosystems correctly. This includes deep understanding of how particular cryptosystem work. On the other hand we often stumble across idea that using ...
BIND 9 DoS vulnerability
2011-12-28 17:27
BIND 9 is vulnerable to remote Denial-of-Service attack (CVE-2011-4313). The vulnerable code is located in query.c file and the server itself crashes after logging: : INSIST(! dns_rdataset_isassociated(sigrdataset)) message. It seems that the vulnerability has been found by accindent due to error in network traffic, traffic samples shows evidence that this was rather another accident and not deliberate action.
This vulnerability is critical to all service providers relying on BIND as their core DNS server. Recommended solution is to apply appropriate upgrade or patch, in case of FreeBSD and NetBSD systems such patches are provided for the operating system for ...
Critical Windows vulnerability leads to remote code execution.
2011-12-14 17:40
Microsoft has just released MS11-087 bulletin regarding critical kernel vulnerability that could allow remote code execution. Vulnerability is related with TrueType fonts driver - and may be exploited by opening specially crafted web page or document.
We recommend installing latest security patches, available at
http://technet.microsoft.com/en-us/security/bulletin/ms11-087
VB2011: Static shellcode analysis and classification
2011-10-24 10:20
This is our presentation from Virus Bulletin Conference 2011 held in Barcelona on October 5th-7th. It presents shellcode classification taxonomy proposal and discusses some methods of static analysis. We invite everyone interested to take part in discussion about our idea.
Oracle Critical Patch Update Advisory for October released
2011-10-21 08:44
Oracle released its Critical Patch Update Advisory for October. Users of Oracle products - mainly Java environment, Oracle Database, Oracle Fusion Middleware and Oracle Application Server should analyse below bulletins and apply all required security updates.
http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
Latest Microsoft security bulletins
2011-10-12 14:20
Yesterday Microsoft published monthly compilation of its security bulletins, known as 'Patch Tuesday'.
There are several patches rated "Critical" and "Important":
MS11-081 regarding vulnerabilities in Internet Explorer (all versions)
MS11-078 regarding remote code execution vulnerabilities in .NET and Silverlight frameworks
Bullettin MS11-077, rated "Important", describing several vulnerabilities in Windows kernel, which may lead to remote code execution.
Full list of latest Microsoft security bulletins, can be found here:
http://www.symantec.com/connect/blogs/microsoft-patch-tuesday-october-2011
10 tips for building secure cloud
2011-10-10 13:46
Based on our experience we have proposed a list of 10 recommendations enabling organization to build and deploy Private PaaS clouds. We plan to update this list to make it constantly address security issues as the technology evolves.
Cloud security for Union Banks
2011-09-29 08:44
On „Union Bank – modern and safely” conference organized by Asseco Poland (26th and 27th of September) AVET INS presented “Cloud security – opportunity or threat for Union Banks?” talk. Our presentation focused on example Private PaaS based on redcloudstorm.com solution. AVET INS provided redcloudstorm.com company with security model for their cloud as well as Secure Development Lifecycle process deployment.
The presentation is available in Polish language only here.
Wrześniowe poprawki od Microsoft
2011-09-19 08:54
W ramach cyklicznej akcji publikowania poprawek do systemu Windows, Microsoft opublikował patche do ponad 15 podatności - zarówno dla serwerów, jak i stacji roboczych. Pomimo, iż żadna z nich nie jest oznaczona jako krytyczna, dotyczą podatności mających kluczowe znaczenie dla bezpieczeńśtwa.
W szczególności poprawkami tymi powinny zainteresować się osoby zarządzające serwerami WINS oraz Share Point. Zagrożone są także stacje robocze - opublikowano kilka podatności dotyczących środowiska Office oraz sposobów na wykonywanie dowolnego kodu przy otwieraniu dokumentów w środowiskach sieciowych.
Więcej informacji można znaleźć pod adresem:
http://www.symantec.com/connect/blogs/microsoft-patch-tuesday-september-2011
Oracle Security Alert for CVE-2011-3192 published
2011-09-16 11:29
This security alert addresses the security issue CVE-2011-3192, a denial of service vulnerability in Apache HTTPD, which is applicable to Oracle HTTP Server products based on Apache 2.0 or 2.2. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the availability of un-patched systems.
Affected Products and Versions
- Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
- Oracle Application Server ...
PHP 5.3.8 Released
2011-08-26 12:52
Briefly after publishing version 5.3.7, PHP 5.3.8 is available. It happend due to serious flaw in version 5.3.7, where function crypt() returned hash of salt ignoring main data. It means for example, that web application would accept any password provided, and authenticate user based on login (given that user's password was set up using same, flawed function).
This is an example of situation, when fixing one vulnerability ("buffer overflow on overlog salt in crypt()") creates another. Luckily, thanks to immediate users alerts, it was quickly fixed.
New vulnerablility in Apache servers.
2011-08-26 12:48
On 24th of August a new vulnerability in 1.3 and 2.x Apache servers was published. Vulnerablility (referenced as CVE-2011-3192) results in DoS attack by significant CPU and memory usage. Flaw can be exploited by by crafting HTTP requests with overlapping "range" headers. All needed patches should be released soon (in a matter of hours). So far there is possibility to secure server by changing its configuration. More information can be found here:
Microsoft SDL - Developer Starter Kit
2011-08-26 12:08
Microsoft mad available Web page with Secure Development Lifecycle documents targeting developers. This is a good starting point for everyone who is either interested in Microsoft approach or who is thinking about deploying SDL in his software development environment.
Microsoft Security Bulletin MS11-057 – MS11-069
2011-08-16 09:59
Microsoft published long series of security bulleting from MS11-057 to MS11-069. Two of them are classified as critical by Microsoft (057 and 058). The MS11-058 is really critical since it describes remote code execution vulnerability in DNS Server. Other quite interesting bulletins are MS11-064 (denial of service in TCP/IP stack), MS11-065 (RDP protocol implementation vulnerability), MS11-068 (vulnerability in Windows kernel). As always we advise to install all patches and do it as quickly as possible.
Are SDL(C) programs too complex?
2011-07-22 15:57
While all experts understand the need for Secure Development Lifecycle solutions much of their popularity is still small given the number of places where code is being written. Ideally it would be to have SDL education, before any student will write and design the first line of code. Unfortunately, this is a model solution for which we will have to wait for a long time to happen. On the other hand, often when we talk about the SDL with the customers, we hear that this is too complicated and expensive to implement.
Other SDL field players see similar if not ...