From this year Black Hat conference in LA, we've got a couple of
interesting stuff....
First, was this talk that got canceled by federal court, but who's
slides are online, it's called:
- Anatomy of a Subway Hack -
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Secondly, someone just reset windows browsers security by 10 years of
history:
- Bypassing Browser Memory Protections -
http://taossa.com/archive/bh08sotirovdowd.pdf
"The internal state of the browser is determined to a large extent by
the untrusted and potentially
malicious data it processes. The complexity of HTML combined with the
power of JavaScript and
VBscript, DOM scripting, .NET, Java and Flash give the attacker an
unprecedented degree of
control over the browser process and its memory layout. "
That subway hack shows us that security looks good on paper, but it's
easily compromised on field, and that windows browser security problem
shows us who's advocate that the world should only need a browser, so
that applications would be only web based, well, should be kicked in
the balls every time it opens his mouth. Don't get me wrong, I like
web apps (not), I feel that the world should rely on a couple of them,
while on a intranet use basis, but what I really don't fully
understand is people who advocate that mobile web apps are the future,
while we're assisting over and over again huge security problems with
browsers, where those mobile are no exception, they do have
limitations and in time will have equally security problems.
//VD
_______________________________________________
tce mailing list
tce@lists.paradigma.pt
http://lists.paradigma.pt/mailman/listinfo/tce
