Re: [FD] Java 8u40 released: why?
On 2015-03-07 15:00, Nick FitzGerald wrote: So you did not notice the explanation that this would happen, right there on the continue the install permission dialog? The one we can see a screenshot of at, say: https://grahamcluley.com/2015/03/oracle-java-mac/ Your description rather strongly implies that you have no choice in getting the Ask toolbar, which is untrue. I understand that Mac users will likely not be _accustomed_ to such permissions for _additional_ software, over and above the actual software that they thought they were installing, being requested, BUT unlike your description above and Ed Bott's at ZDNet (referenced in another post in this thread), the user is actually given the choice to not install the extra offer. Of course, questions as to the desirability of the option being pre-selected, and the possibly less than fully transparent directions about the necessity of the offer are much the same with the Mac version and the Windows version, whose permission dialog you can see here: Unfortunately for Apple and for Mac users in general, Mac users are going to have to learn that the main security issue on Windows exists in OSX too: The user. The only real thing that has kept OSX safe from user-installed malware until now is the relative obscurity of OSX; as OSX gains enough market share to be worth malware author's time, we'll see more and more malware, ranging from bundleware that replaces user preference with a particular corporate interest, right up to full on trojans. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
On 2014-06-08 04:03, Paul Vixie wrote: this is concerning, for two reasons. first, for enforceability, a contract requires exchange of consideration. what's yours? i can see that the vendor is receiving something of value (the disclosure) but it's not clear what you're getting in return beyond the opportunity to have your good deeds go unpunished. absence of a negative does not amount to a positive in the eyes of the law. Indemnity is definitely consideration. I'm not sure that 1- You will not attempt to threaten or prosecute the researcher in any jurisdiction. is sufficient though, but something similar in appropriate legalese would possibly do the trick. There also needs to be an enforcement or penalty clause that is mutually agreeable (and this is probably where most companies will start to wonder if agreeing is worthwhile). A contact without an enforcement clause is mostly useless since a violation will, at most, allow the opposing party to disregard the contract. This works great in a I will mow your lawn as needed for $80/week contract, in which case in the event of a breach, the other party would stop complying with their terms. In this case, the vendor has on ongoing obligation to not sue, whereas the researcher has completed their portion as soon as they reveal the information to the company (or as soon as they complete a defined responsible disclosure period). If the company chooses to pursue legal action against the researcher, the researcher has no remedy in the contract. At a minimum, agreeing to limit damages in the event of any and all legal actions resulting from researching and disclosing the vulnerability would be a start. Still, I like the idea, especially if it's something that a reasonable number of researchers use. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] TrueCrypt?
On 2014-06-03 04:09, Dave Howe wrote: The issue we have with the current TC builds is that they are not reproducible. The source code is available online, and is in the process of being audited, but there is no guarantee the installer almost all the users have installed TC with contained code actually built from that source. https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/ claims to have managed to build a reasonably identical build (such that the remaining differences can be identified and explained as build date/time stamps). The site includes instructions to reproduce the work. I haven't tried it personally, but it might be an interesting exercise to see if anyone else can independently reproduce the binaries. ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Discussion: Teamviewer Feature or Bug?
On 2014-05-08 02:00, hheilem...@meko-s.de wrote: today i remote-controlled a device with teamviewer. This is not very special. But: with me connected was another person (technican) from another company. He did some maintenance work on the device and me i simply followed him. Now, here comes the issue: the technican copies with STRG+C and STRG-V some passes between his client and the managed device. I did nothing, exept opend a notepad on my computer and hit STRG+V several times. Guess what: his clipboard entries was shown in my notepad. So: Is this a Feature or a Security Bug? I'd argue feature, although one that can potentially be exploited if you observe someone copy/paste a password. I've inadvertently captured a user's password with local clipboard monitoring software after TeamViewer, so I can certainly understand the potential risk of information leakage. On the flip side, this is a *very* useful feature. Ideally it would have a Share clipboard with remote side? (Yes, no, for this session, always) dialog the first time someone modifies the clipboard while TeamViewer is being used to give users some level of control. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Arbitrary code execution by admins in File Gallery 1.7.7 (WordPress plugin)
On 2014-04-29 05:13, Illwill wrote: What circumstance would a WordPress admin not usually have this kind of access anyhow? Although it's rarely used, WordPress does have the capability to support multiple levels of administrators, in which case one may have access to an already installed plugin, but not to install their own. The same may be true if this plugin were installed in multiuser mode, although I haven't kept up on what is permitted in multiuser mode, or whether this plugin works in multiuser mode or not. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/