Month of undisclosed 0-day bugs and Chet Chat 24

Filed Under: Podcast, Vulnerability

MOAUB logo

As summer comes to an end there is nothing better than some security researchers who see fit to disclose a new zero day vulnerability every day for a month. That is in fact what the guys over at Abysssec have decided to do to ensure that the criminals (and pen testers) have plenty of ways to compromise our computers.

The good news is that it would appear that the vulnerabilities being disclosed are already patched. All that is new is detailed analysis of the flaws and proof of concept exploits to attack users who have not patched their software. The bad news is that almost no one has a fully patched environment and these disclosures are so detailed that we can expect a flurry of new malware to take advantage of these flaws.

The first two flaws are in cpanel and Adobe Flash and Reader. It appears the current "STABLE" version of cPanel is affected, yet the "CURRENT" and "BETA" releases have been fixed. The Adobe flaws were fixed in 9.3.3 which was released on June 29th, 2010.

While I understand the importance to penetration testers of having working proof of concept and exploit code, I still think I am going to chalk this one up in the "bad idea" column. The typical argument of pressuring vendors to release fixes does not apply, as most already have, which means the press this is receiving is the likely motivation.

Chet Chat logo

Sophos Security Chet Chat episode 24 is now live on http://podcasts.sophos.com. This week Tony Ross our Global Sales Trainer and I discussed this weeks news as well as a detailed exploration of why testing malware on your own might not be such a good idea.


You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 24.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.