Posts tagged with "security"
p.s.: it has a subproject dedicated to finding out if the script was obfuscated or not, sounds nice for automated submission systems in app stores and so on.
- Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive - The security of WebGL as a whole depends on lower levels of the system, including OEM drivers, upholding security guarantees they never really need to worry about before.
- Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience - Without an efficient security servicing model for video card drivers (eg: Windows Update), users may either choose to override the protection in order to use WebGL on their hardware, or remain insecure if a vulnerable configuration is not properly disabled. Users are not accustomed to ensuring they are up-to-date on the latest graphics card drivers. [...] In some cases where OEM graphics products are included with PCs, retail drivers are blocked from installing. OEMs often only update their drivers once per year, a reality that is just not compatible with the needs of a security update process.
- Problematic system DoS scenarios - Modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry. [...] it will be possible for any web site to freeze or reboot systems at will.
Its nice to see that at least Microsoft is mature enough to not let a 3D hype threaten web landscape security. Hopefully, other vendors understand that too.
Facebook in particular is the most appalling spying machine that has ever been invented. Here we have the world’s most comprehensive database about people, their relationships, their names, their addresses, their locations and the communications with each other, their relatives, all sitting within the United States, all accessible to US intelligence. Facebook, Google, Yahoo – all these major US organizations have built-in interfaces for US intelligence. It’s not a matter of serving a subpoena. They have an interface that they have developed for US intelligence to use.
Now, is it the case that Facebook is actually run by US intelligence? No, it’s not like that. It’s simply that US intelligence is able to bring to bear legal and political pressure on them. And it’s costly for them to hand out records one by one, so they have automated the process. Everyone should understand that when they add their friends to Facebook, they are doing free work for United States intelligence agencies in building this database for them.
p.s.: and do not forget, CIA is by far not the worst possible information collector so when you [plan] to use any social network site, think about it.
- A number of serious security issues have been identified with the specification and implementations of WebGL.
- These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable.
- Additionally, there are other dangers with WebGL that put users’ data, privacy and security at risk.
- These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode).
- Browsers that enable WebGL by default put their users at risk to these issues.
WebGL is not yet ready for production, and hopefully more people will see it before 3D mania will force vendors rolling out untested features into the wild.
The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).
The exploit works on both Chrome versions 11.x and 12.x. It was tested with Chrome v11.0.696.65 and v12.0.742.30.
new kit named the Weyland-Yutani BOT that is being marketed as the first of its kind to attack the Mac OS X platform.
The seller of this crimeware kit claims his product supports form-grabbing in Firefox and Chrome, and says he plans to develop a Linux version and one for the iPad in the months ahead. The price? $1,000, with payment accepted only through virtual currencies Liberty Reserve or WebMoney.
We’re delighted to offer our first “elite” $3133.7 Chromium Security Reward to Sergey Glazunov. Critical bugs are harder to come by in Chrome, but Sergey has done it. Sergey also collects a $1337 reward and several other rewards at the same time, so congratulations Sergey!
Study well, kids, and you can be like him
|April 2013June 2013|
The best site for the coder on the Net. Browsers, CSS, DOM for the people.
Official Microsoft Internet Explorer developers' blog.
IE Library at MSDN
Internet Explorer Developer Center
Mozilla Developer Center
Opera Developer Resources
Google Chromium Project Blog
The WebKit Blog
More stuff about webkit
- Stoyan Stefanov
Firefox Nightly News
Hire me! - at Freelance sites
c69 at Free-lance.Ru
If you want a professional CSS / HTML / JS / Consulting service for your site, dont hesitate to contact me.
c69 at Weblancer.Net
Doesn't matter, which of those sites you pick - they are the one i use, so we can get in touch and cooperate.
c69 at oDesk.Com
**oDesk profile is visible to Authenticated oDesk users only
- c69 at StackCareers
- c69 at LinkedIn