20070103

MOAB and More!

I think the first boog found in the Month of Apple Bugs is probably going to be indicative of the types of attacks that we'll see many, many, many more of. Obviously the RTSP boog in Quicktime isn't the first, but one of the more recent. There was the Quicktime scripting boog that was all the rage on MySpace. Now there's the buzz about cross-domain scripting in PDF's. (PDF's for cryin' out loud! I thought PDF was Portable Document Format - not applicaction!)

And there's the fact that JPEG's can carry arbitrary payload....

I think these are the types of bugs we're going to see more and more of over the next several months. I'm sure other very popular media player plugins will have flaws, which will make Google and YouTube look bad.

And sadly, right now, there's not much we as developers can do about it. Do we tell users to disable the features? Do we remove those types of media from the site? Do we just cross our fingers and hope for patches, and quicklike?

2 comments:

  1. > And sadly, right now, there's not much we as developers can do about it. Do we tell users to disable the features? Do we remove those types of media from the site? Do we just cross our fingers and hope for patches, and quicklike?

    I don't think there is any good quick answer that the moment. Its becoming clearer and clearer to me that we do in fact trust client-side security and we need to put more effort into making it something more trustworthy.

    ReplyDelete
  2. Indeed, that's the thrust of the argument. I'd love to be able to help developers to protect their customers at their own site at least. The browser simply can't be trusted, and user education is actually a two-edged sword. When these things are found (the hackers always find it first), as developers and security practitioners, we need to be able to address the issues with some degree of agility.

    ReplyDelete