Source: The Register
L33tdawg: The published paper on the hack can be found over here.
Security researcher David Litchfield has identified a vast number of attacks against Oracle application servers and has written them up in a paper which includes defensive strategies as well.
Source: NewsBytes
An independent network security researcher has uncovered a new way to steal the secret browser "cookies" of Web surfers with the help of Internet servers that were never intended to communicate with browser software. The exploit, described by a researcher who uses the handle "Obscure" and posted on the Eye On Security Web (EOS) site, relies on common Internet server software other than Web servers that can "echo" hijacked submissions from HTML forms.
Source: The Guardian
The reporting of computer and communications security in the mainstream media is often puzzling. Why do some risks merit a big story, while others go unnoticed. This is largely because the subject is taken out of its organisational context and it is important to see security risks in that context. The first step is to be clear what we mean by a risk: a risk is the overlap between a threat and a vulnerability.
Source: ZDNet
A security researcher will detail a bevy of software flaws in Oracle's flagship database at the Black Hat Windows Security Briefings in New Orleans on Friday, busting up the company's promise that the program is "unbreakable."
The security problems, found by U.K. security researcher David Litchfield in December, include a serious software slip-up that could let hackers take control of corporate servers loaded with the database program.
Source: SecurityFocus
Conventional wisdom has long held that open source software garners extra security from the sheer number of people who are free to review the code -- "Many eyes make all bugs shallow," the adage goes. The reality is often different; it turns out many of those eyes have little interest in the thankless task of examining other people's code for security holes.
Source: Zero Security
The Faq-O-Matic is a CGI-based system that automates the process of maintaining a FAQ (or Frequently Asked Questions list). It allows visitors to your FAQ to take part in keeping it up-to-date. A security vulnerability in the product allows remote attackers to utilize a CSS vulnerability against the product.
Source: News Forge
A race condition existed where a file could be removed between calling fstatfs() and the point where the file is accessed causing the file descriptor to become invalid. This may allow unprivileged local users to cause a kernel panic. Currently only the procfs filesystem is known to be vulnerable. On vulnerable FreeBSD systems where procfs is mounted, unprivileged local users may be able to cause a kernel panic.
Source: ZDNet
An Irish security consultant published details this weekend of two software bugs in a popular chat program--bugs that could be used to install malicious programs on a victim's computer.
The flaws make users of mIRC--a common Windows program that lets people chat in real time over a network of "Internet relay chat" servers--susceptible to attack if they connect to a compromised server, said James Martin, the independent security consultant who found one of the flaws.
