Showing posts with label poc/code. Show all posts
Showing posts with label poc/code. Show all posts

10.11.2007

Took long enough...

No, I'm not talking about how long it's been since our last blog post, I'm talking about the iPhone.

I can't say I'm really surprised, except that maybe it took so long, but the iPhone hacking teams have announced a major remote exploit for the iPhone/iTouch. A file parsing exploit, the way we many of us expected it would happen, this is remotely exploitable via a malicious .tiff file. It appears that this was created to make it possible to remotely unlock iPhones (a dubious prospect at best).

For all the interest that the information security community had in the iPhone before it came out I've been shocked at how little has come out of our community. It's shocking how the majority of the "exploit" activity on the iPhone has been the traditional hackers, those who just seek to expand functionality. These "hacks" have been created to compensate for the lacking API, not those attempting to compromise this information rich device. Maybe good is stronger than awesome.

More info here and the actual malicious tiff here.

Posted by Scott J. Roberts at 19:25 0 comments

Labels: , , , , ,

7.04.2007

Closure to Disclosure

There's been a fair bit of discussion lately about disclosure policies of various groups and people in information security. This isn't new, or really a surprise, disclosure is something that comes up every few months, every conference, and other random times based on the alignment of Jupiter and Tim's hairstyle. I plan on throwing my opinion on various topics out there, but first I felt it would be most appropriate to make Vulnerable Minds disclosure policy a matter of record. I admit we borrowed heavily from the fine folks at Matasano Chargren, but after our own discussion, modification, and consideration we feel that this document represents the best way of handling vulnerabilities; for us, for vendors, and for the computing community as a whole. 

Posted by Scott J. Roberts at 21:11 0 comments

Labels: , ,

3.25.2007

Javascript Internal Vulnerability Scanner Source Code

This code was demoed at Shmoocon '07 during the Javascript Malware for a Grey Goo Tomorrow presentation. The code was given to us by our newest mind Mike, and first analyzed by Steve Davis. It allows for client side internal vulnerability scanning through Javascript. It is currently missing a frontend to run it. First one with a front end wins :)

UPDATE 3/25: Source code removed at request of Jikto creator

Posted by Timothy W. Martin at 00:30 0 comments

Labels: , , , ,

Subscribe to: Posts (Atom)