There is an heap overflow vulnerability in RealPlayer 11 build 6.0.14.74. It allows for code execution when RealPlayer opens a malicious song file.

Timeline

Dec 16, 2007: Gleg customers notified of vulnerability and given exploit code

Jan 1, 2008: Public disclosure (no details) with online demonstration

Feb 6, 2008: Vulnerability still not patched

It’s not your typical disclosure time line. In recent years we have become accustomed to a disclosure time line that goes something like this:

Typical Timeline

Dec 16, 2007: Vendor notified of vulnerability and given exploit code

Feb 6, 2008: Public disclosure with details and vendor patch available

Feb 7, 2008: Some customers patched

We …

Identity theft and the huge TJX breach have brought information technology and security to the forefront and now the states of Texas and Massachusetts are contemplating bills that would hold corporations financially responsible for security breaches.

Computerworld’s Article states that “Texas mulls bill that would make PCI requirements a state law”. According to the article, Texas Bill HB 3222 passed the House of Representatives 139-0. It should prove interesting to see what the Texas Senate and Governor Rick Perry have to say about this. Is this really the right move …

Jeremiah recently posted about the Microsoft Security Response Center inviting security researchers to disclose vulnerabilities discovered in a Microsoft “online web property,” which is to say, anything in the microsoft.com domain (or msn.com, live.com, etc.). Immediately, people started trying to profit from the idea, suggesting that Microsoft agree in advance to a “reward system” whereby they would pay cash for vulnerabilities. While this would be inexpensive for Microsoft, relative to their security budget, it would completely contradict the notion of responsible disclosure. If Microsoft chose to reward someone for reporting a vulnerability that they considered significant, …

In part I of this article I wrote about the history of vulnerability research and how researchers having legal access to the software and hardware they need to conduct their research is a pre-requisite. This is why there was such little research on software before 1996.

Not only is legal access important but being able to run the software in a lab environment is important. Pure black box testing is very inefficient for finding security bugs. You need to instrument the running program and be able to perform static analysis. This usually takes the form of using debuggers and shims …

There is no doubt that Web 2.0 is upon us. The software we use everyday is migrating from our desktops, laptops and company servers to the great data centers in the sky. The first application to move to the cloud was e-mail, then picture and file sharing services, and now traditional desktop applications such as calendaring, task lists, spreadsheets and word processing are all available via the web. Soon there will be little need for the average computer user to have any applications running on their desktop at all except for a web browser with media player plug-ins.