All, I just want to lead you all thru a new discussion topic came out of so many discussions and experience we had so far. From Global IT Security standpoint, the new generation security risks would not just be malware/hacking, but the risk will also be a newly developed software/application that can act like malware or support in its illegal functions.
Your thoughts on this? the idea behind or the outcome from this would be to re-define and classify the types of security risks based on test evaluation of process / application / software / infrastructure. As I said, our focus should be on global interest not limiting to our state or country alone. This further will be helpful in effective risk management and thereby business continuity. Regards Sandeep Thakur On Fri, May 28, 2010 at 4:23 PM, N41K <[email protected]> wrote: > I would like to add something here... > > Every user need to harden their browser in-order to protect self from > all the possible client-side attacks. > > Lets be Proactive; before being a victim and waiting for a solution. > > Regards, > 0xN41K > > On May 26, 7:30 pm, Sandeep Thakur <[email protected]> wrote: > > Microsoft is preparing a security update in June for the IE XSS filter in > > Internet Explorer 8. > > The update will address a flaw in IE 8 that could enable cross-site > > scripting (XSS) attacks by hackers. Security Response Center spokesman > David > > Ross said last week in this blog post that the change will address the > > "script tag attack scenario" that was described at a Blackhat Europe > > presentation earlier this month. > > > > At that conference, security researchers David Lindsay and Eduardo Vela > Nava > > presented their findings on how the IE 8 XSS filter could be abused, > > resulting in universal cross-site scripting (UXSS) attacks. > > > > Security experts and Microsoft's Ross explained that unlike traditional > XSS > > attacks that require the vulnerability to exist on a specific infected > Web > > site, UXSS attacks target vulnerabilities in client applications, such as > > browsers, browser plug-ins and PDF readers. > > > > "This issue manifests when malicious script can "break out" from within a > > construct that is already within an existing script block," wrote Ross. > He > > added that while the issue was preliminarily identified and addressed in > a > > January patch of the browser > > (MS10-002< > http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx>), > > the new real-world example of UXSS is prompting Microsoft to prep a new > > patch for June. > > > > Chenxi Wang, security and risk management analyst at Forrester Research, > > said this vulnerability is brought on when the XSS filter incorrectly > > disables certain Hypertext Mark-up Language (HTML) attributes. > Consequently, > > it becomes possible for a specially crafted Web page to be loaded, > allowing > > an attacker to execute scripts in a user's browser. > > > > "This mistake made by the cross-site scripting filter in IE actually > caused > > a cross-site scripting error to occur," she said. "This is interesting, > > because the mission of the XSS filter is to prevent this type of error to > > happen, but in effect it actually caused an additional XSS attack." > > > > Joshua Talbot, security intelligence manager at Symantec Security > Response, > > added that such an attack requires a multifaceted and sophisticated > method > > of incursion. > > > > "First, they would have to find a suitable target Web site that allows > users > > to publish content, such as a social networking site," he said. "Second, > > they would have to lure the victim to this page by clicking a specially > > crafted link. Finally, they would have to have the victim follow the link > > with a vulnerable Web browser." > > > > Talbot added that with the increasing reliance on browsers and Web sites > for > > banking and communication, UXSS vulnerabilities will become increasingly > > useful and valuable to attackers. > > > > Fortunately, the researchers who found this security hole worked directly > > with Microsoft, according to both Wang and Talbot. Microsoft subsequently > > released its initial update in January and again in March > > (MS10-018< > http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx>). > > > > Security experts applaud the prospect of a more substantive fix release > in > > the early summer. Microsoft's David Ross said that the company looks > > "forward to continuing to improve the Internet Explorer XSS Filter going > > forward to address new attack scenarios and the evolving threat > landscape." > > > > "Like many security issues -- take malware as an example -- attack > vectors > > are always a moving target," Ross wrote. "The role of the browser maker > is > > to do everything we can to keep people safe without them having to do a > lot > > of extra work." > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > > -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
