Podcast News

OWASP Podcast News

OWASP NEWS 2010

OWASP Podcast Roundtable
Next Recording : February 16, 2010

Listener Question : public file uploads
Paul Wescott Asks: "I’d really like to see something about how to securely allow public file uploads to web sites.  What are the risks, how can they be avoided.  Discussion around using whitelists, file size limits, file type checking (extension, mime, magic number checking), handling Office 2007 (archive files), rendering uploaded files as pdfs, virus checking, poison null injection, renaming uploaded files, directory file permissions, etc…"

US Cybersecurity Bill
http://www.theregister.co.uk/2010/02/04/house_cybersecurity_bill/

The US House of Representatives has overwhelmingly passed a bill that would direct almost $400m toward research designed to shore up the nation's cybersecurity defenses.

The Cybersecurity Enhancement Act would authorize $108.7m over five years to establish a cybersecurity scholarship program. In return, students would serve in federal government posts upon graduation.

A few Billion Lines of Code Later
http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltext

While we've focused on some of the less-pleasant experiences in the commercialization of bug-finding products, two positive experiences trump them all. First, selling a static tool has become dramatically easier in recent years. There has been a seismic shift in terms of the average programmer "getting it." When you say you have a static bug-finding tool, the response is no longer "Huh?" or "Lint? Yuck." This shift seems due to static bug finders being in wider use, giving rise to nice networking effects. The person you talk to likely knows someone using such a tool, has a competitor that uses it, or has been in a company that used it.

Moreover, while seemingly vacuous tautologies have had a negative effect on technical development, a nice balancing empirical tautology holds that bug finding is worthwhile for anyone with an effective tool. If you can find code, and the checked system is big enough, and you can compile (enough of) it, then you will always find serious errors. This appears to be a law. We encourage readers to exploit it.

Microsoft's 1999 "Secure Windows Initiative"
Proof that Microsoft's 1999 "Secure Windows Initiative" and 2002 "Trustworthy Computing" have provided immutably secure software:

New IE zero-day : IE Flaw Allows File Access
(February 3 & 4, 2010)

Microsoft has issued a security advisory warning of a vulnerability in Internet Explorer (IE) that affects users running Windows XP or who have disabled IE Protected Mode. The vulnerability essentially turns vulnerable computers into "public file server[s];" attackers can exploit the flaw to access files with known filenames and locations if they trick users into visiting specially-crafted websites. The vulnerability is the result of incorrectly rendering local files in the browser. It affects IE 5.01 and IE 6 on Windows 2000; IE 6 on Windows 2000 SP 4; and IE 6, 7 & 8 on Windows XP and Windows Server 2003. http://www.microsoft.com/technet/security/advisory/980088.mspx http://www.theregister.co.uk/2010/02/04/ms_browser_bug/ http://www.computerworld.com/s/article/9151838/IE_flaw_gives_hackers_access_to_user_files_Microsoft_says?taxonomyId=17

Google to Drop IE 6 Support
(February 3, 2010) Google has announced that as of March 1, 2010, its applications will no longer support Internet Explorer 6 (IE 6). Although Google did not say so directly, the decision may have been influenced by recently disclosed attacks against Google and other US companies that exploited a vulnerability in IE 6. The attacks prompted public warnings in Germany, France and Australia against using IE 6. http://www.msnbc.msn.com/id/35219388/ns/technology_and_science-security/