morph3us.org

Unfortunately, my last blog entry was almost three weeks ago so it's time for a new entry..

Presumably, I'm going to release several new advisories next week. Two advisories will cover multiple stack based overflows in W3C's browser Amaya, three advisories are about DoS vulnerabilities in the latest release of Internet Explorer 6 SP2 with all patches applied and another advisory will deal with multiple vulnerabilities in a rather unknown web application - but I'm not sure yet if I'll publish this advisory this time.

So stay tuned..

The BuHa ExploitMe Contest is organized in multiple levels with increasing difficulty. In each of this levels you'll find a exploitable ANSI C program and a small advice about the kind of shellcode which should be used. The first and the second level do not require the usage of any shellcode because people which are not familar with security related bugs in C programs should be able to complete them too.

The contest started almost a week ago and until now there are 19 different participants. I was surprised about three brazilian guys which also take part in the contest and found the contest site with Google.

Check it out: https://www.buha.info/projects/exploitme-contest/

The last week I created a new layout for my site and my blog. I used valid XHTML 1.1 Strict and CSS 2 to realize the design which is based on modern CSS layout techniques. The smart use of CSS and in general the separation between code and layout was very important for me.. The layout should look fine in all latest browsers like Firefox 1.x+, Opera 7.x+ and M$ IE 5.x+ which support the CSS 1 (and partly CSS2) standard.

I adapted (almost) the entire default template of Wordpress to my ideas and requirements. The CSS file of the default style sucks because it's pretty huge and I reduced its size by nearly 50 percent but my current stylesheet file is anything but perfect. There are still a lot of things to improve.. maybe I will provide a minimal Wordpress template for interested people in the near future.

M$ released Security Bulletin MS05-054 which resolves several newly-discovered vulnerabilities in M$ IE.
See File Download Dialog Box Manipulation Vulnerability (CAN-2005-2829), HTTPS Proxy Vulnerability (CAN-2005-2830), COM Object Instantiation Memory Corruption Vulnerability (CAN-2005-2831) and Mismatched Document Object Model Objects Memory Corruption Vulnerability (CAN-2005-1790) for details.

I updated the update pack for Windoze XP SP2..

M$ released the Bulletin MS05-053 to resolve some latley discovered vulnerabilities in the rendering of Windows Metafile (WMF) and Windows Metafile (WMF) image format. See CAN-2005-2123, CAN-2005-2124 and EMF file DOS vulnerability for details.

Therefore I updated the update pack for Windoze XP SP2..

A while ago I uploaded a XHTML document containing several viable resources about Web Application Security from my bookmarks. I think most links will be usefull for people who are interested in web application security related topics.

Have a look..

http://morph3us.org/security/links/web-app-security.html

Ich habe mich mittlerweile relativ kurzfristig dazu entschlossen einen eigenen Blog zu fuehren. Eigentlich halte ich ja nicht besonders viel vom sogenannten 'Blogging' aber andererseits kann es auch nicht schaden es einfach mal zu versuchen. Ausschlaggebend fuer meinen Entschluss damit anzufangen war uebrigens Dominik (siehe Blogroll) der kleine Rotzluemmel. (o: Jegliche Beschwerden bitte an ihn. *g

Eventuell kann ich cyrus-tc noch davon ueberzeugen hier auch den ein oder anderen Eintrag zu verfassen - auch wenn er sich derzeit noch etwas davor straeubt.