The InfoSec Blog

Another Java bug: Disable the java setting in your browser

Posted by Anton Aylward

http://www.kb.cert.org/vuls/id/625617

Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.

Well, yes .... but.

Image representing XMind as depicted in CrunchBase

Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.

Text vs HTML: what is more secure?

Posted by Anton Aylward

There are "good" mailing lists and "not so good" mailing lists from the point of view of security.

Try posting HTML mail to a "good" and one of two things will happen.

  1. If you have a mailer that includes the plain text then the list
    software will discard that, forward the plain text to the list
    with a message reading

    [Non-text portions of this message have been removed]

    I'm sure you've seen that message in posts on yahoogroups and similar.

  2. If you have a mailer that doesn't include the plain text
    then one of two things may happen:

    1. The plain text version is displayed, but being null the text that appears is
      empty, but you still get

      [Non-text portions of this message have been removed]

      I'm sure you've seen that too.

    2. The list software does its best to convert the html to plain text by stripping
      off the html tags. This works, but may
      produce some odd results. However you still get

      [Non-text portions of this message have been removed]