• Not Local.. Not Remote..

    [This was originally published on the OSVDB blog.] Several of us working on VDBs have debated over the years how best to handle vulnerabilities that aren’t necessarily remote or local. Issues like image or archive handling vulnerabilities, where the program processing a malformed file is prone to an overflow, traversal or denial of service. While…

  • The Real Animals

    The Denver Zoo is a great place and has nice exhibits along with a wide variety of denizens. As most summer weekends, it gets really crowded and the amount of sprogs and fat oblivious people is almost unbearable. Kids will be kids, but parents simply don’t care about the results of the kid’s actions and…

  • Veterinary Detachment

    Some doctors seem detached from reality at times. They don’t quite get how the real world and life’s obligations can get in the way of always thinking about the ideal way to live. Veterinarians are worse, especially when it comes to applying medicine. Yes, they can apply the most obnoxious treatment to an animal at…

  • Month of ActiveX Bugs…

    [This was originally published on the OSVDB blog.] Yet another “Month of..” bug campaign. This time, the Month of ActiveX Bugs (MoAxB) will focus on vulnerable ActiveX controls. Do a quick title search for “activex” and you will see a healthy history of vulnerabilities related to ActiveX controls. There is already a debate on the…

  • Disclosure: Apache Axis Nonexistent Java Web Service Remote Path Disclosure

    [This was originally disclosed on the VIM mail list. VulnDB ID 34154] Watchfire’s Appscan product looks for this vulnerability (not sure what they officially title it, the title above is my own), but I can’t find any reference to it. Google finds a lot of indirect references suggesting it is common knowledge to the folks…

  • Anatomy of TWOVB hoax…

    [This was originally published on the OSVDB blog.] In the final days of March, a “week of Vista bugs” was announced. As some suspected, it turned out to be a hoax. For the full story on how it was carried out, check the breakdown from the perpetrators. All in all, not a very impressive hoax…

  • Finding New Music

    I’m always looking for new music. I currently have almost two gigs of music to listen to and filter through before potentially adding it to my playlist. on average, for every 30 songs I listen to only one makes it to my “probably good” folder. Weeks or months later I make a pass through that…

  • Analogies Keep Failing

    [This was originally published on the OSVDB blog.] One of the most often used, and later debated, analogies used for actions in the security/hacker industry is that of comparing port scanning to walking down a road checking doors and windows to see which are unlocked. This is fundamentally flawed because port scanning looks for open…

  • News Pundits, the Real Tragedy

    windbags like Nancy Grace are saying she will *demand* answers about why there wasn’t a better response, why students weren’t told about the shooter, how they could have saved 31 lives if they had, and why [person|group] didn’t [act|react] to [incident|shooter|actions]. she is pointing fingers at the campus administration for not having a better incident…

  • [update] Month of PHP Bugs

    [This was originally published on the OSVDB blog.] I previously blogged about the Month of PHP Bugs [MOPB], an effort lead by Stefan Esser and the Hardened PHP Project to raise awareness about vulnerabilities in the PHP language. The month has come and passed and of course I have to wonder about a few things.…