Template:Application Security News


 * Jan 10 - Vulnerability Disclosure: The Good, the Bad and the Ugly
 * More than a decade into the practice of vulnerability disclosure, where do we stand? Are we more secure? Or less?, three good articles: Microsoft: Responsible Vulnerability Disclosure Protects Users, Schneier: Full Disclosure of Security Vulnerabilities a ’Damned Good Idea’, The Vulnerability Disclosure Game: Are We More Secure? and The Chilling Effect


 * Jan 3 - XSS in ALL sites with PDF download
 * Critical XSS flaw that is trivial to exploit here in all but the very latest browsers. Attackers simply have to add a script like #attack=javascript:alert(document.cookie); to ANY URL that ends in .pdf (or streams a PDF). Solution is to not use PDF's or for Adobe to patch the planet.


 * Dec 16 - What IS security critical code?
 * "It's likely that in most incidents of people being killed as a result of software bugs (or IT systems bugs), the software wasn't thought to be safety-critical at all. For example, a word-processor failing to recognize that a print request has failed, resulting in a patient not getting a letter giving a hospital appointment. Or someone committing suicide because of an incorrect bank statement." Michael Kay on the xml-dev list, 8/17/2005


 * Older news...