| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 19 Dec 2010 14:31:14 -0500
From: Jeffrey Walton <noloader@...il.com>
To: Victor Rigo <victor_rigo@...oo.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: adobe.com important subdomain SQL injection
again!
On Sat, Dec 18, 2010 at 6:30 PM, Victor Rigo <victor_rigo@...oo.com> wrote:
> Let's see, flash is:
>
> - Cross-platform
> - Cross-architecture
> - Has it's own programming language
> - Is embedded on websites
> - Access to javascript to popup, local caches, etc.
>
* Insecure (Adobe's implementation)
> It's not ineptness, it's what you get when you right software that can
> actually do stuff.
>
For completeness, I did not claim they are inept - only insecure. Insecurity
in the absence of ineptness is probably more egregious - they should know
better.
It will be interesting to see if HTML 5 has as many security problems. I
would love to see an Adobe implementation of HTML 5 go head to head with
Chrome or IE. Its too bad (or perhaps we are fortunate) that Adobe does not
make browsers.
Jeff
> --- On *Sat, 12/18/10, Jeffrey Walton <noloader@...il.com>* wrote:
>
>
> From: Jeffrey Walton <noloader@...il.com>
> Subject: Re: [Full-disclosure] adobe.com important subdomain SQL injection
> again!
> To: "Maciej Gojny" <vuln@...ko-security.com>
> Cc: full-disclosure@...ts.grok.org.uk
> Date: Saturday, December 18, 2010, 5:53 PM
>
> On Sat, Dec 18, 2010 at 11:58 AM, Maciej Gojny <vuln@...ko-security.com<http://mc/compose?to=vuln@ariko-security.com>>
> wrote:
> > hello full disclosure!
> >
> > After six months from the first contact with Adobe security team,
> important
> > adobe.com subdomain is still vulnerable to SQL injection attacks. We
> hope
> > that this time, serious people will try to solve the problem.
> There's a reason Adobe is the most attacked software [1,2], and its
> probably because they write the most vulnerable software (or
> adversaries are looking for a challenge, which seems less intuitive
> and highly unlikely to me).
>
> It appears "insecurity" is an enterprise wide practice, and not just
> limited to their software.
>
> Jeff
>
> [1] "Adobe surpasses Microsoft as favorite hacker’s target" (Jul 2009)
> http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/
>
> [2] "Adobe predicted as top 2010 hacker target" (Dec 2009)
> http://www.theregister.co.uk/2009/12/29/security_predictions_2010/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists