lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8=JjJUre8u3M+v=NOFwqZc2BaF80O1APdwVWDSXiaskgw@mail.gmail.com>
Date: Mon, 22 Apr 2013 02:39:52 -0400
From: Jeffrey Walton <noloader@...il.com>
To: Benji <me@...ji.com>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: VUPEN Security Research - Adobe Flash Player
 RTMP Data Processing Object Confusion (CVE-2013-2555)

On Sat, Apr 20, 2013 at 7:37 PM, Benji <me@...ji.com> wrote:
> Because security engineers are different to a QA department you originally
> suggested, and you seem to be very ideologist about the scenarios. As we've
> seen, Oracle's Java product has security engineers and this has not
> prevented flaws.
Oracle is probably not a good example since it leaves known flaws in
the code base.

http://www.h-online.com/security/news/item/Java-7-Update-21-closes-security-holes-and-restricts-applets-1843558.html:

The warnings for Java applets now come in two types: an applet that
has a valid certificate generates a warning dialog with the Java logo
in it and details of the applet's certificate, but an applet that is
signed with an invalid certificate, is unsigned or self-signed, will
generate a warning with a yellow shield and warning triangle which is
designed to recommend that the applet should not be run. There is a
problem though with the certificate checking; as The H reported in
March, criminals were using revoked certificates as part of their
attacks and the Java runtime was doing nothing to check the validity
of certificates. On the latest update of Java, this has not changed
either; online validation and revocation checks are still off by
default.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ