Episode 8, May 25, 2012
This podcast is brought to you by the Greater Lafayette Security Professionals (GLSP) group and the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.
Show Notes
Hosts
- Preston Wiley, CISSP, CCNA
- Mike Hill, CISSP
- Keith Watson, CISSP, CISA
Announcements
- The Greater Lafayette Security Professionals June meeting will be on June 14, 2012. There is no topic yet. Please contact Keith if you have a suggestion or something to present.
Security Updates
- Google updated Chrome to version 19.0.1084.52, May 23rd
- Apple releases Leopard Security Update 2012-003, May 14
- Apple releases Leopard Flashback Removal Security Update, May 14
- Apple releases QuickTime 7.7.2 for Windows 7, Vista, XP SP2 or later, May 15
Tools Discussion
- IBM bans Siri on the iPhone citing data leakage concerns by Robert McMillan (Wired on CNN)
- Anatomy of a security hole - the break that broke sudo by Paul Ducklin (nakedsecurity blog)
- sudo, a well-reviewed security tool, had a trivial programming error that lead to security problem.
- sudo exists as the default system administration tool for a majority of UNIX systems.
- In a C switch statement, a single “break” line was missing. The compiler didn’t catch it. The logic of the statement was reversed and permitted an action that would normally have been prevented.
- The rules file can contain a network specification including a netmask.
- The check_netmask routine would check validate IPv4 first, if that failed it should return a failure (operation not permitted). However, without the break statement, execution continued into checking IPv6 which returned successfully. The command execution was allowed when the policy said that it should be denied.
- The patch was one line, adding back the missing “break” line.
Anatomy of an exploit - six, in fact - as Google reveals details of Pwnium hack against Chrome by Paul Ducklin (nakedsecurity blog) and A Tale of Two Pwnies (Part 1) (The Chromium Blog)
- Pinkie Pie used a series of six vulnerabilities in sequence to exploit Google Chrome in the Pwnium contest at CanSecWest.
Yahoo leaks its own private key via new Axis Chrome extension by Joshua Long (nakedsecurity blog) and Yahoo Axis Chrome Extension Leaks Private Certificate File by Nik Cubrilovic (New Web Order blog)
- Yahoo mistakenly bundled its private key inside the Chrome extension version of Axis.
The Serious about Security Podcast is brought to you by the Greater Lafayette Security Professionals (GLSP) group, Secure Purdue, and the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.
Serious About Security RSS Feed
The views and opinions expressed in this podcast are those of the participants and do not reflect the views and opinions of Purdue University and The Center for Education and Research in Information Assurance and Security (CERIAS).
Leave a comment
Current News
CERIAS Weblogs
Upcoming Events
Footer
RSS Feeds
Combined RSS Feed
News RSS Feed Events RSS Feed Weblogs RSS Feed Security Seminar Podcast
Twitter: @cerias, @ceriasarchive, #cerias
LinkedIn: CERIAS Alumni, Staff and Friends
Facebook: Friends of CERIAS
Mailing Address: CERIAS, Purdue University / 101 Foundry Drive / Convergence Center / Suite 3800 / West Lafayette IN 47906-3446
phone (765) 494-7841 / fax (765) 496-3181 / Travel Info
Copyright © 2024, Purdue University, all rights reserved. Purdue University is an equal access/equal opportunity university.
If you have trouble accessing this page because of a disability, please contact the CERIAS webmaster at webmaster@cerias.purdue.edu. Some content on this site may require the use of a special plug-in or application. Please visit our plug-ins page for links to download these applications.
Privacy Policy
Comments