Interesting

bob3160 · 2013-02-25T10:37:55.000Z

While driving in Port Charlotte Fl. yesterday,
we stopped to take the following picture:

http://www.screencast-o-matic.com/screenshots/u/Lh/1361788440728-15216.png

No, I didn’t go out of the car. after all, I have a presentation coming up in Florida on the 27th and would like to do so
outside of this gators belly. ;D

CraigB · 2013-02-25T11:23:05.000Z

Don’t know what your worried about Bob, we’ve got Goannas/Monitors bigger that and there probably more aggressive too.
The kids over here would play with that like a pet ;D

Wait till you’ve seen a 20 to 25Ft salty ( Crocodile )

bob3160 · 2013-02-25T11:31:19.000Z

craigb post:1982:

Don’t know what your worried about Bob, we’ve got Goannas/Monitors bigger that and there probably more aggressive too.
The kids over here would play with that like a pet ;D

Wait till you’ve seen a 20 to 25Ft salty ( Crocodile )

I’d be happy to photograph the big ones. Just send me round trip air fare.

CraigB · 2013-02-25T11:38:35.000Z

bob3160 post:1983:

Just send me round trip air fare.

Keep hoping Maybe avast will pay for your trip to Aus ;D

system · 2013-02-25T16:30:49.000Z

I lived in Cape Coral, FL , just south of Port Charlotte, for 35 years and gators like that were a common sight on golf courses and just about anywhere there was water. After one of the bigger storms, a neighbor went out to check his pool only to find a 10 footer happily swimming in it. I frequently had small ones follow my bass lures while I was fishing in the canals and lakes .

bob3160 · 2013-02-27T08:25:36.000Z

Full Moon

http://www.screencast-o-matic.com/screenshots/u/Lh/1361953434915-83414.png

bob3160 · 2013-02-27T11:47:35.000Z

Sad but apparently true:
Windows XP and Firefox take 25-year lead in security flaws

system · 2013-02-27T16:06:52.000Z

bob3160 post:1987:

Sad but apparently true:
Windows XP and Firefox take 25-year lead in security flaws

Interesting quote from the article.

For high-severity vulnerabilities, the product Windows XP earns the dubious distinction of the No.1 spot. "What's also interesting here is that of the top four browsers that have a total of 90 percent of the browser market share, Firefox has the most vulnerabilities in every category, followed by Chrome, then Internet Explorer and finally Safari," the report concludes.

FreewheelinFrank · 2013-02-27T21:14:38.000Z

bob3160 post:1987:

Sad but apparently true:
Windows XP and Firefox take 25-year lead in security flaws

Vulnerabilities in Firefox are openly disclosed and Mozilla has a policy of fixing them quickly, which has meant that Firefox has been remarkably secure over the years- a success story and nothing to be sad about. Vulnerabilities in closed source software may not be disclosed, even after they are fixed. There is also the question of how long vulnerabilities remain unfixed and whether they are used in attacks. Meaning this is a stupid measure of security for a browser, as usual.

Donovan · 2013-02-27T22:24:44.000Z

To add onto FreewheelinFrank’s reply,

As Firefox and Chrome are open-sourced, it is only natural that more bugs are to be found; but because it is open-sourced, they will be fixed by the community. Internet Explorer, on the other hand, isn’t open sourced. So naturally, less bugs will be announced to the public domain. The bad guys would want to keep the vulnerability from going public for as long as possible, no?

~!Donovan

system · 2013-02-27T23:12:39.000Z

!Donovan post:1990:

To add onto FreewheelinFrank’s reply,

As Firefox and Chrome are open-sourced, it is only natural that more bugs are to be found; but because it is open-sourced, they will be fixed by the community. Internet Explorer, on the other hand, isn’t open sourced. So naturally, less bugs will be announced to the public domain. The bad guys would want to keep the vulnerability from going public for as long as possible, no?

~!Donovan

It has nothing to do with what was announced by the browser providers but rather with flaws that were discovered by anyone, in house or not. Independent analysts all the way.

polonus · 2013-02-27T23:18:41.000Z

Hi Dch48,

Now they are saying that about Windows XP a year further down in time they will say it about Vista,

pol

system · 2013-02-27T23:47:11.000Z

polonus post:1992:

Hi Dch48,

Now they are saying that about Windows XP a year further down in time they will say it about Vista,

pol

I don’t think so. As bad as Vista is/was, it was always rated as more secure than XP.

FreewheelinFrank · 2013-02-28T06:17:13.000Z

Dch48 post:1991:

!Donovan post:1990:

To add onto FreewheelinFrank’s reply,

As Firefox and Chrome are open-sourced, it is only natural that more bugs are to be found; but because it is open-sourced, they will be fixed by the community. Internet Explorer, on the other hand, isn’t open sourced. So naturally, less bugs will be announced to the public domain. The bad guys would want to keep the vulnerability from going public for as long as possible, no?

~!Donovan

It has nothing to do with what was announced by the browser providers but rather with flaws that were discovered by anyone, in house or not. Independent analysts all the way.

If in-house flaws are not disclosed, then they cannot be part of the analysis.

Microsoft doesn't report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.
“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

http://www.pcworld.com/article/197410/Microsoft_patch.html

system · 2013-02-28T16:27:08.000Z

FreewheelinFrank post:1994:

Dch48 post:1991:

!Donovan post:1990:

To add onto FreewheelinFrank’s reply,

As Firefox and Chrome are open-sourced, it is only natural that more bugs are to be found; but because it is open-sourced, they will be fixed by the community. Internet Explorer, on the other hand, isn’t open sourced. So naturally, less bugs will be announced to the public domain. The bad guys would want to keep the vulnerability from going public for as long as possible, no?

~!Donovan

It has nothing to do with what was announced by the browser providers but rather with flaws that were discovered by anyone, in house or not. Independent analysts all the way.

If in-house flaws are not disclosed, then they cannot be part of the analysis.

Microsoft doesn't report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.
“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

http://www.pcworld.com/article/197410/Microsoft_patch.html

They most certainly can when discovered by independent analysts. If they don’t get discovered that way, then they’re not important.

FreewheelinFrank · 2013-02-28T16:41:14.000Z

Dch48 post:1995:

FreewheelinFrank post:1994:

Dch48 post:1991:

!Donovan post:1990:

To add onto FreewheelinFrank’s reply,

As Firefox and Chrome are open-sourced, it is only natural that more bugs are to be found; but because it is open-sourced, they will be fixed by the community. Internet Explorer, on the other hand, isn’t open sourced. So naturally, less bugs will be announced to the public domain. The bad guys would want to keep the vulnerability from going public for as long as possible, no?

~!Donovan

It has nothing to do with what was announced by the browser providers but rather with flaws that were discovered by anyone, in house or not. Independent analysts all the way.

If in-house flaws are not disclosed, then they cannot be part of the analysis.

Microsoft doesn't report all security vulnerabilities that it fixes in its software. Bug comparisons between vendors therefore paint an incorrect picture.
“We don’t document every issue found,” Mike Reavey, director of the Microsoft Security Response Center (MSRC), said at a meeting with reporters at the company’s corporate headquarters in Redmond, Washington.

http://www.pcworld.com/article/197410/Microsoft_patch.html

They most certainly can when discovered by independent analysts. If they don’t get discovered that way, then they’re not important.

Vulnerabilities that Microsoft fixes can’t be part of the analysis if Microsoft doesn’t disclose them, and Microsoft doesn’t always disclose them; Mozilla has a different, open policy on vulnerabilities, which mean the two can’t be compared.

Microsoft’s “silent fixes” most certainly have been important.

Gotta love the way you blithely assume reality is going to comply with your prejudices, but how about looking at the evidence?

http://www.zdnet.com/blog/hardware/microsoft-silently-patches-vulnerabilities-leaves-admins-in-the-dark/8239

http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CFQQFjAE&url=http%3A%2F%2Fwww.blackhat.com%2Fpresentations%2Fbh-europe-06%2Fbh-eu-06-Manzuik.pdf&ei=dIcvUc7CF6ev0QXFkYCwDQ&usg=AFQjCNFpGNBrY_wAh64zTpWbuGCQQrjLhg&sig2=Bs5MQEEMB_Dvvie2YL5k1A&bvm=bv.43148975,d.d2k&cad=rja

system · 2013-02-28T17:04:45.000Z

Don’t see any “evidence” that changes the findings of the article that was posted.

FreewheelinFrank · 2013-02-28T17:49:09.000Z

Dch48 post:1997:

Don’t see any “evidence” that changes the findings of the article that was posted.

http://mason.gmu.edu/~cmcgloth/portfolio/fallacies/red.html

polonus · 2013-02-28T18:27:41.000Z

Hi FwF,

Some of the vulnerabilities have been longer with us, so MS was sitting on them for quite some time: http://www.coresecurity.com/content/CORE-2010-0424-windows-smtp-dns-query-id-bugs (2008/2009 flaw code recycled)
What has not been discussed here, and this is also seen to play a lot in theopen source bug discussion, is the impact when we combine two or more bugs/vulnerabilies and then sometimes we can arrive at a very workable dangerous new 0-exploit. Understanable because MS never started with a clean slate, but has been building code layer on code layer in their eternal patching and securing their multitude of lines with maybe as many bugs and holes like the proverbial Swiss cheese product ;D

In defense of our good friend, Dch48, however, we have to admit that exploits that are used in malware are almost 99% borrowed from known failsafe exploit code that malcreants get from hackers and/or security researchers/testers. Exploit kit code launchers do not add new exploit code, they use those of others. That is why I always been doing third party reconnaissance mainly…

pol

FreewheelinFrank · 2013-02-28T19:40:44.000Z

polonus post:1999:

Hi FwF,

In defense of our good friend, Dch48, however, we have to admit that exploits that are used in malware are almost 99% borrowed from known failsafe exploit code that malcreants get from hackers and/or security researchers/testers. Exploit kit code launchers do not add new exploit code, they use those of others. That is why I always been doing third party reconnaissance mainly…

pol

New zero-day exploits seem to be used in targeted attacks and “watering hole” attacks before ending up in exploit kits (sometimes while still zero-day), the order of course being the order of payment size in time available- targeted and watering hole attacks paying more but only in the short period the exploit is zero-day.

http://krebsonsecurity.com/2012/12/attackers-target-internet-explorer-zero-day-flaw/

http://krebsonsecurity.com/2012/09/microsoft-issues-stopgap-fix-for-ie-0-day-flaw/

Edit: added some more links…

Here’s an example of a zero-day sold for targeted attacks:

http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/

And here’s an example of a zero-day added to an exploit pack:

http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/

Announcements