Microsoft shortcut fix and Black Hat 2010 roundup

Black Hat logo

Black Hat logo

Microsoft announced Friday that they will be releasing an out of band patch for what has been known as the Windows shortcut vulnerability. The fix will be released on Monday August 2nd at approximately 10 AM Pacific Daylight Time (1700 UTC). If you are anxious to start testing keep an eye on the MSRC blog for more information.

This week’s Sophos Security Chet Chat is primarily about the Windows shortcut vulnerability. Michael Argast and I also debated whether OS X is in fact the most vulnerable operating system and the Safari vulnerability in auto-complete.

My favorite Black Hat presentation was likely the one on modern online privacy by Moxie Marlinspike. His session was entitled “Changing Threats to Privacy: From TIA to Google” and detailed the numerous ways the concept of Total Information Awareness has been abandoned for easier ways to spy on us.

Moxie talked about a tool he has released to allow people to use Google services without sacrificing their privacy to the big G. It is called GoogleSharing and is available from He also released another tool to assist Android users with securing their SMS messages and VOIP phone calls from being snooped. You can find out more at

I also went to see Dan Kaminsky’s talk on web threats… except it wasn’t on web threats. Dan’s obsession has been with DNS since his announcement of the DNS flaw two years ago at Black Hat. This year was no different and he delivered a last minute talk on DNSSEC and how the root of the DNS being signed a few weeks ago is going to change the world. Dan’s world sees the DNS root and chain of trust being the foundation of federated identity on the internet. I like the picture he painted, but I am skeptical that it will be as easy as he lead us all to believe.

I will continue to go through all my notes and post some of the remainder of the best of Black Hat and Defcon in the next few days.