Earlier on IRC today someone mentioned that they had bought some SQL Injection Bumper Stickers. This led me to the the idea for the following. I think I'll have to get some made up and hand out at PN.

My child is an '; update GradeBook set Grade=A where StudentID=423867;

There is a flaw in Abode’s Acrobat reader plugin which allows JavaScript to execute. This flaws means ever website that contains a PDF file has a de facto Cross Site Scripting (XSS) vulnerability. Clicking on a link like http://bank.com/report.pdf#EVILCode will cause JavaScript to execute in the context of bank.com. Regardless of how security bank.com’s website is, attackers can get their own JavaScript to interact with the website, exposing everyone on bank.com to all the traditional dangers of XSS. It is important to note that there is nothing wrong or malicious about the PDF file itself. An attack doesn’t need to upload a malicious file for this to work. The issue is Adobe executes an JavaScript that is contained in the fragment (#) of a hyperlink.

This flaw essentially backdoors every website on the Internet that hosts a PDF. Any website with a PDF can be the target of a hyperlink with a malicious fragment added to it. This flaw is so extremely dangerous because an attacker simply creates a malicious hyperlink to any legitimate PDF on any website and can attack that website.

It gets worse, because there is little a website can do to stop the attack. If a victim clicks on a link like http://bank.com/report.pdf#EVILCode, the #EVILCode fragment is not actually sent to bank.com. Thus bank.com cannot detect if a PDF is being requested to launch an attack, or is being requested for legitimate purposes Short of removing all PDF’s from their site, a company cannot protect itself or it’s users from this technique. This flaw can also be exploited using an HTML iFrame. This means a victim doesn’t have to physically click on a bad link; simply viewing a website could cause a PDF to load and exploit the user.

XSS can be used for various types of attacks, such as phishing, password stealing, self-propagating worms, keystroke logging, and attacking internal corporate networks.

This vulnerability is interesting because it occurs in a browser plugin, making all browser’s that use the plugin vulnerable. It is also interesting because it doesn’t require an attacker to create or upload a malicious file. This attack piggybacks on top of perfectly safe PDFs.

Updated
Effected Browser: (all on Windows)
IE6 + Acrobat Reader 7 + XP SP1
IE6 + Acrobat Reader 4 + XP SP2
(possibly) IE 6 on non-XP platforms
Firefox 2.0.0.1
Firefox 1.5.0.8
Opera 8.5.4 build 770
Opera 9.10.8679

Adobe flaw #$%&s everyone

Sun Microsystems on Thursday announced that it purchased Hewlett and Packard for a little over $6,000.

In a crafty public relations stunt, Sun has acquired a wooden sculpture of Bill Hewlett and Dave Packard and decided to send the object on the road to find HP's "sense of humor." A local artist had offered the Hewlett and Packard sculpture, which is part of a larger collection, to HP corporate, but the company passed. So, Sun stepped in with $6,000 and bought the Silicon Valley legends.

The Hewlett and Packard figure is part of the Silicon Valley Hitchhiker series that we've been covering for the past couple of weeks. Local artist Julie Newdoll teamed with Jim Pallas, Mike Mosher and Mario Wolczko to create and promote five sculptures of Silicon Valley icons - Fred Terman, Bob Noyce, Hewlett and Packard, William Shockley and Lee de Forest. The figures have been "hitchhiking" around the country with GPS units strapped to their backs so people can follow their journeys online.

Yet another wonderfully funny public relations fiasco with HP. It's implied, though not explicitly stated in the article, that HP had the opportunity to buy the sculptures and turned their nose at the project. They should have seen this one coming from a mile away. If it wasn't Sun, I'm sure IBM would have been the next in line to turn this whole thing into a big joke. HP == stupidity

Sun buys Hewlett and Packard | The Register

Join Leader Pelosi and become a Citizen Co-Sponsor of the Markey Net Neutrality Amendment

We, the undersigned, oppose the lack of Network Neutrality protections in the the COPE Act, sponsored by Rep. Joe Barton (R-TX). We strongly urge passage of the Network Neutrality amendment sponsored by Rep. Ed Markey (D-MA), along with Representatives Rick Boucher (D-VA), Anna Eshoo (D-CA), and Jay Inslee (D-WA).

Sign it today, this is getting pushed through ASAP.

More info at http://www.savetheinternet.com/=faq

Sign the petition for the Net Neutrality Amendment to the COPE Act

There has been an almost unbelievable amount of hubbub lately about the research that Mike Lynn gave a demonstration of at the BlackHat conference last week, and there's been a positively dizzying amount of "spin" applied to the media. Let me say one thing to everyone reading this, right up front. What Lynn uncovered is a serious issue, probably actually more serious than what the media is making it out to be. While coverage on the issue is good (and useful to both "sides") the lack of actual accurate reporting on the issue isn't helpful to anyone.

Part of the problem is that apparently, outside of the list of BlackHat attendees, there's not that many people running around who truly understand what Lynn's research uncovered. Lynn did not reveal an "exploit" in the usual sense. In fact, Lynn of his own volition has been playing his cards fairly close to his chest on this, and omitted most of the technical details of the problem from his presentation in order to assure that no one would be able to easily "follow in his footsteps". Lynn, it can safely be said, was scared by what he discovered--scared enough that he has risked his livelihood not once but twice in order to be sure that should the technical aspects of what he's found not be resolved before someone with less respect for the continuation of the Internet figures it out for themselves, the network and security administrators of the world will have had time to take some steps to reduce the amount of damage done. It can no longer be thought of as a sure thing that just because a particular vulnerability could "break the Internet" that no one's going to try it just to see if it's really true. We have a rather excellent example in recent history that pretty much everyone is aware of by now... the MS Blaster worm which raged around the Internet wreaking rather unprecedented havok. Pretty much everyone on the Internet was either personally affected by this, or knows someone who was. Blaster made use of a vulnerability that had become rather common knowledge by the time it was released, but had already been known to many security professionals for months. The real problem that made things so painful and propagation of Blaster so widespread, was that for those months, Microsoft had been actively denying that there was ever a problem until Blaster forced them to admit it. Had system administrators been made aware of the issue and the meager steps needed to impede the spread of Blaster (which everyone implemented in a white-hot hurry once their networks were figuratively ablaze) the damage could have been much less indeed.

Cisco is not helping the issue, or I should say, Cisco's lawyers are not helping the issue. Cisco makes some really awesome products, and their technical people can't really be faulted for this one technical flaw. The problem is that Cisco's lawyers are convinced that public knowledge of a serious issue ... [ Read More (1.3k in body) ]

Mike Lynn's 'exploit', in plain (non-technical) English

A presentation called “The Holy Grail: Cisco IOS Shellcode Remote Execution” was slated to run at the Black Hat conference in Las Vegas this week. But Internet Information Systems and Cisco, the companies presenting the segment, decided to pull the presentation after discussions between the two firms.

Further Abaddon Nogoodery

Even more of Abaddon being up to no good.

Abaddon, still up to no good.

Beginning Sept. 6, PBS will make available - exclusively over the Internet - broadcast television's first entirely downloadable series, featuring PBS technology columnist and industry insider Robert X. Cringely's interviews with personalities from the ever-changing world of technology. NerdTV will be available for download from www.pbs.org/nerdtv .

I, Cringely . NerdTV

I've been playing around with the recently release Google Maps API and wrote this little app to display wifi hotspots around town. Since I live in the Nashville area, it centers on Nashville. You can easily take the code and modify it for your area. Feel free to borrow.

Dolemite

Google Maps API Fun

Nice lecture. Isn't the usual "use tables for layout stupid" and "Structure should be seperated from content" rant. This site actually shows you how to break an existing webpage down to its basic structure and built it back up with CSS, DIVs, and more.

I've been working today on using some Javascript to make the Recommendation page have more, but hidden, options. Inserting this into a page that uses tables for layouts is a bitch.

-Memestreams includes CSS defined inline with each page.
-Memestreams uses Tables instead of DIVs for layout. The main page is over 30k, most of it table formatting. I know Tom has a good Co-Lo deal, but the bandwidth savings here will help Memestreams users.

[ I only wish he had said : "The only problem with CSS is that all browser manufactuers are FUCKING ASSHOLES and don't properly support the spec. You'll spend more time dealing with silly goddamn tricks than laying out your page."

Fuck IE. Fuck Firefox, Mozzilla, Safari, and every browser on the planet. There's a spec. If you're gonna call it a standard, then bloody fucking comply with it.

I dare you to try and align a div with the BOTTOM of the screen. Check it out, it's awesome! -k]

Why tables for layout is stupid: problems defined, solutions offered