07.31.05
個人資料洩漏?
Slashdot 在 Govermental Servers Wiped? Never! 報導了澳洲政府在淘汰電腦時沒有把裡面的資料清空就轉售出去…
在原作者 Data Security 101 的網頁上有大量的圖片顯示了這些電腦裡面有哪些東西 - 連裡面的 source code 都有 :p
Archive for July, 2005
從年初到目前為止,IE 比 Firefox 發生更少安全性問題
Mozillazine 這篇 More Security Flaws in Firefox Than IE This Year 下面的 Pie chart 依據 Secunia 的資料,顯示了今年年初到目前為止 IE 有 9 個與安全性相關的問題,而 Firefox 有 17 個:
如果把程度加上去則是:
至於下面那個「Unfair comparison」就不用看了,沒有人會因為 Firefox 1.x 是第一年就同情他的… 除了 Firefox 親衛隊。
更完整的資料可以在 Vulnerability Report - Microsoft Internet Explorer 6.x 與 Vulnerability Report - Mozilla Firefox 1.x 找到。
Firefox 的 17 個安全性通告中有 15 個已經修正 (Vendor Patched),有一個部分修正 (Partial Patched) 與一個尚未修正 (Unpatched):
- Firefox Property Manipulation Cross-Site Scripting Vulnerability (Secunia Research has discovered a vulnerability in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks.)
- Firefox Multiple Vulnerabilities (Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, and compromise a user’s system.)
- Mozilla / Firefox / Camino Dialog Origin Spoofing Vulnerability (Secunia Research has discovered a vulnerability in Mozilla, Firefox, and Camino, which can be exploited by malicious web sites to spoof dialog boxes.)
- Mozilla / Mozilla Firefox Frame Injection Vulnerability (A seven year old vulnerability has been re-introduced in Mozilla and Firefox, which can be exploited by malicious people to spoof the contents of web sites.)
- Mozilla Firefox Download Dialog Spoofing Vulnerabilities (Secunia Research has discovered two vulnerabilities in Mozilla Firefox, which can be exploited by malicious people to spoof file types in the file download dialog.) Partial Fix.
- Mozilla Firefox Two Vulnerabilities (Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user’s system.)
- Mozilla Firefox Multiple Vulnerabilities (Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user’s system.)
- Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability (A vulnerability has been discovered in Mozilla Firefox, which can be exploited by malicious people to gain knowledge of potentially sensitive information.)
- Mozilla Firefox Three Vulnerabilities (Three vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions and compromise a user’s system.)
- Firefox “Save Link As…” Status Bar Spoofing Weakness (bitlance winter has discovered a weakness in Firefox, which can be exploited by malicious people to trick users into saving malicious files by obfuscating URLs.)
- Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting (Paul has reported a vulnerability in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks.) Unpatched.
- Mozilla / Firefox “Save Link As” Download Dialog Spoofing (Secunia Research has discovered a vulnerability in Mozilla and Mozilla Firefox, which can be exploited by malicious people to trick users into downloading malicious files.)
- Mozilla / Firefox / Thunderbird Multiple Vulnerabilities (Details have been released about several vulnerabilities in Firefox, Mozilla and Thunderbird. These can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to conduct spoofing attacks, disclose and manipulate sensitive information, and potentially compromise a user’s system.)
- Mozilla / Firefox Three Vulnerabilities (mikx has discovered three vulnerabilities in Mozilla and Firefox, which can be exploited by malicious people to plant malware on a user’s system, conduct cross-site scripting attacks, disclose sensitive information, bypass certain security restrictions and compromise a user’s system.)
- Mozilla Products IDN Spoofing Security Issue (Eric Johanson has reported a security issue in Mozilla / Firefox / Camino / Thunderbird, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar.)
- Mozilla / Mozilla Firefox Dialog Overlapping Weakness (mikx has discovered a weakness in Mozilla and Mozilla Firefox, which potentially can be exploited by malicious people to trick users into performing unintended actions.)
- Mozilla / Mozilla Firefox Download Dialog Source Spoofing (Secunia Research has discovered a vulnerability in Mozilla / Mozilla Firefox, which can be exploited by malicious people to spoof the source displayed in the Download Dialog box.)
而 IE6 的 9 個安全性問題中,只有三個修正,一個部分修正,而剩下的五個都是尚未修正:
- Internet Explorer “javaprxy.dll” Memory Corruption Vulnerability (SEC Consult has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user’s system.)
- Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability (Secunia Research has discovered a vulnerability in Internet Explorer, which can be exploited by malicious web sites to spoof dialog boxes.) Unpatched.
- Microsoft Internet Explorer “window()” Denial of Service Weakness (Benjamin Tobias Franz has discovered a weakness in Internet Explorer, which can be exploited by malicious people to cause a DoS (Denial of Service).) Unpatched.
- Microsoft Internet Explorer Multiple Vulnerabilities (Some vulnerabilities has been reported in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user’s system.)
- Microsoft Internet Explorer Popup Title Bar Spoofing Weakness (bitlance winter has discovered a weakness in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.) Unpatched.
- Internet Explorer/Outlook Express Status Bar Spoofing (bitlance winter has discovered a weakness in Internet Explorer/Outlook Express, which can be exploited by malicious people to trick users into visiting a malicious web site by obfuscating URLs.) Unpatched.
- Microsoft Internet Explorer Multiple Vulnerabilities (Multiple vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, disclose sensitive information, bypass certain security restrictions, and compromise a user’s system.)
- Internet Explorer Global Variables Local File Detection Weakness (Berend-Jan Wever has discovered a weakness in Internet Explorer, which can be exploited by malicious people to detect the presence of local files.) Unpatched.
- Internet Explorer FTP Download Directory Traversal (A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user’s system.) Partial Patched.
不管是哪一套,能夠直接攻進系統的安全性漏洞都有修正,而其他類性的 (主要是 DoS 與 Spoofing) 安全性問題 IE6 不太想修的樣子。
總結來說,Firefox 並不是比較安全的軟體,而只是比較願意在發生安全性問題時出 patch 的軟體。
Diablo II (& LoD) 將要出 1.11 patch
Blizzard 官方網站的消息,不過目前還不知道會不會產生第三季天梯 (ladder) 就是了…
用 Archive Cache 當作證據
Slashdot 上面報導了愈來愈多律師使用 Archive Cache 當作證據 (譬如 Google 提供的 Page Cache):Wayback Archives as a Law Tool。
SkypeOut 撥六個地區降價:中國、希臘、台灣、香港、波蘭、瑞士
剛剛收到 Skype 的信,這六個地區的 SkypeOut 費率變成 Global Rate (也就是 EUR$0.017/min),其中中國與香港兩個地區包含行動電話。(在 2005/07/27 已經調整了)
而有幾個地方則漲價。(將在 2005/09/01 漲價)
完整的費率調整說明在正式的公告裡都有寫:SkypeOut rates to several destinations changed。
07.29.05
Database 不太穩定
這個下午 Dreamhost 的 Database 不太穩定,我用 Control Panel 問了一下,他們目前還在修… 所以如果看我的網站有時候會出現 WordPress 幹剿連不到 Database 的畫面,請不要打我 XD
IE7
shakalaca 已經先當白老鼠,把 IE7 安裝起來玩:IE7 試用心得。
看到他提供的 Screenshot 讓我馬上瞭解為什麼有人說 IE7 是 “Firefox Lite” 了…
不過,The Register 爆出:IE7 nukes Google, Yahoo! search,有人發現 Google Toolbar 與舊版的 Yahoo! Toolbar 都不能用,但是其他家的都可以用。
邪惡微軟帝國繼續蔓延中…