Because if you do, you’ve probably installed QuickTime without realizing it. Why is this relevant? Well, if you’ve been in a cave for the last week, you may not have heard about the Quicktime/Java vulnerability discovered during the CanSecWest conference, which happens to affect just about anyone with those two applications installed. If you try to uninstall QuickTime, it’ll happily oblige, but then iTunes won’t work anymore. So it boils down to two options: Either disable Java, or find another MP3 player for the time being (unless you bought a bunch of DRM-protected music from …

Client-side browser vulnerabilities, the ones that require the browser software on your computer to make a request to a web site hosting a malicious web page, are on a sharp rise. Sophos reports:

From January to the end of March, Sophos identified an average of 5,000 new infected webpages every day, indicating that this route to infection is becoming more popular with cybercriminals.

and

Not all of the infected websites were created by the hackers themselves. Sophos has found that the majority, 70 percent, were bonafide websites that were vulnerable to attack because they were unpatched, poorly coded or had …

Slowly but surely, I’m catching up on my blogging backlog. As I posted before, Day 2 of CanSecWest was a long day, with presentations running from 9am to 9pm. Here are some of the highlights:

Barnaby Jack’s talk, Exploiting Embedded Systems – The Sequel!, was mostly the same as last year’s talk with a couple notable exceptions. Last year, he exploited a UPnP stack overflow in the DI-524, while this year it was a 0day in the DI-604 which he didn’t provide further details on, other than the fact that it was a null pointer exception. This …

I’ll post my thoughts from Days 2 and 3 of CanSecWest pretty soon. Thursday was a marathon 12 hours of talks followed by a Microsoft party, and Friday I went straight from the con to the airport to catch the red-eye back to Boston, so I just haven’t gotten around to it.

Before I do that, though, let’s talk about the “Pwn To Own” contest, which turned out to be interesting. Here’s the premise. Dragos purchased two MacBook laptops and challenged the conference attendees to hack them, with the prize being, naturally, the laptops themselves. …

Thought I would post a few thoughts on today’s talks:

For some reason I expected more out of Jose Nazario’s talk on Reverse Engineering Malicious Javascript. Basically, it could be summarized as follows: Use command-line Javascript interpreters such as njs to figure out what obfuscated Javascript does without having to execute the malicious code in the context of a web browser. Near the end, he mentioned that he had been seeing increased amounts of Flash-based malware, and mentioned that flasm was a useful tool for extracting the ActionScript from .swf files. Very clearly presented but pretty basic content. …

As you may have guessed, I’m out in Vancouver the rest of the week attending CanSecWest. Looking forward to catching up with old friends and former colleagues and meeting more of you lurkers!

I am always overly paranoid about getting owned by 0day at these conferences. My work laptop won’t run Linux cleanly without rebuilding the kernel, and since I don’t have time for that stuff anymore, I’m resigned to running Windows XP. The Windows and BitDefender firewalls are enabled — hopefully they work. My wireless card is physically disabled, and all web and e-mail traffic is …

The Web Application Security Consortium (WASC) just published statistics on the prevalence of various web application vulnerabilities. The list was compiled from 31,373 automated assessments performed during 2006 by four contributing companies, with the methodology around data collection described as follows:

The scans include a combination of raw scan results and results that have been manually validated to remove false positive results. The statistics do not include the results of any purely manual security audits (aka human assessments).

As with any statistical data, the results of this study should be digested with a healthy dose of skepticism and a …