Update : Verisign already closed the hole.
This morning (in the US- afternoon in Europe), a team of security researchers revealed that they are in possession of a forged Certificate Authority digital certificate that pretty much breaks the whole idea of a trusted website. It allows them to create a fake SSL certificate that your browser will accept for any website.
We’ve been covering a heck of a lot of territory in our series on Building a Web Application Security Program (see Part 1, Part 2, Part 3, Part 4, Part 5, and Part 6). So far we’ve covered secure development and secure deployment , now it’s time to move on to secure operations. This is the point where the application moves out of development and testing and into production.
A Microsoft Security Advisory for SQL Server (961040) was posted on the 22nd of December. Microsoft has done a commendable job and provided a lot of information on this page, with a cross reference of the CVE number (CVE-2008-4270) so you can find more details if you need it. Any stored procedure that provide remote code execution can be dangerous and is a target for hackers. You want to patch as soon as Microsoft releases a patch. Microsoft states that “… MSDE 2000 or SQL Server 2005 Express…
‘The Microsoft Security Advisory (961040) for SQL Server was posted on the 22nd of December. Microsoft has done a commendable job and provided a lot of information on this page, with the cross reference of the CVE number (CVE-2008-4270) so you can find more details if you need it. Like any of the store procedures that provide remote code execution, they can be dangerous and are targets for hackers.
The Microsoft Security Advisory (961040) for SQL Server was posted on the 22nd of December. Microsoft has done a commendable job and provided a lot of information on this page, with the cross reference of the CVE number (CVE-2008-4270) so you can find more details if you need it. Like any of the store procedures that provide remote code execution, they can be dangerous and are targets for hackers.
Remember our first post that there are no trusted sites? Followed by our second one? Now I suppose it’s time to start naming names in the post titles, since this seems to be a popular trend.
This will be our last Friday Summary for 2008. This afternoon Adrian and I are off to The Office for our Securosis Annual Staff Festivus Party (sorry Chris, but we can drunk dial you if that makes you feel included).
Looks like the RIAA has finally realized that treating customers like criminals isn’t the best strategy in the world. According to the Wall Street Journal (via Slashdot) they are ending their campaign of suing individual file sharers to focus on working with ISPs to reduce illegal sharing.
Just ran across this ‘new’ SQL Server vulnerability in my news feed. This should not be an issue because you should not be using this set of functions. If you are using external stored procedures on a production database, stop. In fact, you want to stop using them altogether by either locking them down or removing them entirely. Not just because of this reported instance. External stored procedures exploits are favorites of database hackers, and have been used to alter database functionality and…