After the recent out-of-band release of patch MS08-67 by Microsoft, the software giant has again released it MS08-78 out-of-band patch.

The patch is tagged as critical and affects Internet Explorer from 5.1 to 7 version. There are a few mitigating factors but I strongly feel that atleast desktop users or systems which is used to surf internet should apply the released patch. Work-around either wouldn’t work in few cases or attackers would come up with a way to bypass this work-around. Read more »

Wow!! Jumbo patch released by Microsoft after a long time (5 years). Out of these 28 patches, 23 of them have been rated Critical, 3 have been rated important and two as moderate. The patches were issued in eight updates for Windows, Internet Explorer, Office, SharePoint, Windows Media, and popular development tools, Visual Basic and Visual Studio.

So these has to be in top to-do lists of security consultants. So one more reason to work or say drive the clients to work to patch.

Read more »

Two researchers, Robert Hansen and Jeremiah Grossman were planning to present their research on Clickjacking @ OWASP , New York City but had to postpone their presentation because they figured out that the exploitation of this vulnerability can be worst. Affected Vendors requested them to postpone their disclosure so that they can fix it. Most of the times the vulnerability needs to be fixed by web application but this time browser owners have taken up the task of fixing the vulnerability. Microsoft, Adobe are few of those affected.

Well these attacks are sort of tedious and require precision as compared to other powerful attacks like CSRF, SQLi etc. Attacker needs to know the exact layout of page that victim would possibly be viewing. A small here-and-there can foil the whole attack. These attacks can be done on those pages whose button positions remain static. CSRF token solution will not work here.

Read more »