‘Security’ Archive

Expat 2.2.3 released, includes security fixes for Windows 2017-08-02 No Comments

Just a quick note that Expat 2.2.3 has been released. For Windows users, it fixes DLL hijacking (CVE-2017-11742). On Linux, extracting entropy for Hash DoS protection no longer blocks, which affected D-Bus and systems that are low on entropy early in the boot process. For more details, please check the change log.

Expat 2.2.2 released 2017-07-14 No Comments

(This article first appeared on XML.com.) A few weeks after release 2.2.1 of the free software XML parsing library Expat, version 2.2.2 now improves on few rough edges (mostly related to compilation) but also fixes security issues. Windows binaries compiled with _UNICODE now use proper entropy for seeding the SipHash algorithm. On Unix-like platforms, accidentally […]

Expat 2.2.1 with security fixes has been released 2017-06-18 No Comments

Expat 2.2.1 has been released. It’s a security release with a variety of security fixes, for instance: An infinite loop denial-of-service fix (that Rhodri James wrote more about), introduction of SipHash against sophisticated hash flooding, use of OS-specific high quality entropy providers like getrandom, integer overflow fixes, and more. We also got better code coverage, […]

Fwd: Issues with window.opener (HTML, not just JavaScript) 2017-06-11 No Comments

About rel=noopener (mathiasbynens.github.io)

Disqus(ting) / Fwd: What’s Wrong with Disqus? 2017-05-08 No Comments

What’s Wrong with Disqus? / Replacing Disqus with Github Comments (donw.io)

Fwd: Security (or lack of) at Number26 2017-01-09 No Comments

Hi! I would like to share a talk that I attended at 33c3. It’s about a company with a banking license and accounts with actual money. Some people downplay these issues as “yeah, but the issues were fixed” and “every major bank probably has something like this”. I would like to reply: With a bit […]

Fwd: (German) Telefónica verkauft Bewegungsdaten seiner O2/E-Plus-Kunden (auch blau.de) No Comments

Telefónica verkauft jetzt Bewegungsdaten seiner O2/E-Plus-Kunden http://winfuture.de/news,94116.html Widersprechen auf: https://www.telefonica.de/dap/selbst-entscheiden.html

arc4random_uniform and avoiding modulo bias when using a random number generator 2016-07-30 No Comments

Using the arc4random_uniform function is recommend over using arc4random: Former is advertised as not having “modulo bias” issues, see man arc4random. (So I got curious, searched the web a bit, found this blog post, this answer and this link to the source code of one version used by Apple’s. It took me a bit to […]

Disable Komodo IDE debugger (bound to 0.0.0.0, run by default) 2016-03-14 No Comments

Komodo IDE starts a debugger bound to 0.0.0.0, by default. Maker ActiveState’s reaction was rather irritating to me at the time when I asked for an option to bind to 127.0.0.1, instead (update: page offline by now). I can no longer add links to that post, but I can link to my demo Komodo IDE […]

Fwd: The Case of the Modified Binaries / Downloading binaries through plain http:// 2015-08-24 No Comments

It seems I forgot to forward this when it blew my mind the first time. If you still need a reason to not download binaries from http:// URLs, this is it: The Case of the Modified Binaries http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/ While SourceForge is another story, they are an example of a website offering binaries through plain http://, […]