Pinned toot

I post about technical topics here, especially , , . My other account is for German-language non-technical stuff.

On the practical level, it's questionable whether any antivirus vendor is really qualified to produce that secure browser. The one I'm looking at right now certainly isn't bad, they seem to have put some serious thought into minimizing attack surface (Avast did the exact opposite). But they still have security issues which are way more obvious than what you can expect to find in modern mainstream browsers.

Show thread

I'm looking at another "Secure Browser" by an antivirus vendor. They appear to have done a better job than Avast, a minimalist browser for banking and shopping sites only. On the conceptual level, this seems to make sense: separate browser profile and no extensions whatsoever.

@WPalant but node.js is single-threaded and there's no way to spawn another thread, only another process

Whisper app: yet another company which had no qualms about collecting as much data of their presumably anonymous users as possible. And then they carelessly exposed the dirty secrets to the public, along with identifying metadata.

Quite remarkably, Avast has now disabled their JavaScript interpreter for all users. Sometimes that actually do see trouble coming...

Show thread

This is merely the most recent example. Just because people are in the security software business, it doesn't mean that they will make good choices for the security architecture of their product. Or that they will care about the security of their product and their users at all...

Show thread

Tavis Ormandy found something truly remarkable in the Antivirus: a custom-made JavaScript interpreter that will attempt to execute arbitrary JavaScript snippets encountered so see what these do. The whole thing is running as SYSTEM (administrator privileges) without any sandboxing. How long until somebody finds a critical vulnerability here?

The Yahoo/AOL account recovery works like this: you type in a phone number, receive an SMS and are then granted access to any accounts associated with this number. Including the previous owner of that number or people who typed in a random phone number and never verified.

Show thread

Yahoo! and AOL implement an account recovery flow which can be summed up as "please hijack me." If you use them, you are better be very certain you control that recovery phone number of yours.

Want do use for a new project? Don't, it makes writing secure code unnecessarily complicated. In fact, you should look for a way to get rid of it in your old projects as well, or at least minimize its potential security impact.

This thread demonstrates nicely why so many studies are merely confirming experimentators' expectations but do not produce any real results. Yes, getting biases out of a study setup is a complicated task, and often people won't even try.

Wow, we have 2020 and somebody *still* has to explain that input sanitization isn't a good way to address XSS vulnerabilities. Where did the past two decades go?

I would actually expect a security software vendor to resolve a critical vulnerability first, pushing the one-line fix to users ASAP. Then improve on the fix later. Not bundle the fix with tons of regular changes, almost missing the deadline due to QA. Is it only me?

Vulnerability in McAfee WebAdvisor: RCE from any website through the browser extension into the application, all the way to administrator privileges. Updates are finally available and should be installed ASAP.

Interesting, so McAfee seems to create their CVE numbers in January and then assign them to whatever vulnerabilities come up in the course of the year...

Fancy phishing approach: rather than spam a suspicious phishing URL, send people a link to a Google Docs document. Make that document look like a download page and long enough that the Google footer disappears below the fold. The "here" link points to a malicious URL of course.

So, Microsoft's HTML Applications are still a thing in year 2020? I accidentally came across some malicious code within in HTA file, running PowerShell and .NET code via ActiveX. The assumption is apparently that users won't recognize .hta as dangerous.

Now the Firefox extension should be fixed, so I'm not dropping a zero-day tomorrow. That's quite a relief. decided to cut it really close, despite it being a one-line fix. Meaniny: there is a lot that they could do about this issue, but so far they only changed one line.

Their not so useful security bulletin:

It took a long time but I finally disabled notifications when somebody rates my add-on on Mozilla Add-ons site. It's not only about these notifications being far less useful than they could be, explaining documented extension limitations simply isn't a good use of my time.

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.