Råvarefesten

Oljeprisen er nå over 110 dollar fatet. De fleste vil peke på uroen i Midtøsten og Nord-Afrika som hovedårsak. Mye tyder imidlertid på at det er helt andre mekanismer som ligger bak.  Kilde: http://www.indexmundi.com/commodities/Opptøyene...

Read More

Pwn2own considered (somewhat) harmful

I think that hacking challenges and bug bounty programs can be extremely valuable. This is true when they involve transparent, sustained efforts to evaluate the security of a particular platform. For example, I believe that there is a substantial value in Mozilla bug bounties, or in the Chrome reward...

Read More

A note on an MHTML vulnerability

There is an ongoing discussion about a recently disclosed, public vulnerability in Microsoft Internet Explorer, and its significance to web application developers. Several of my colleagues investigated this problem in the past few weeks, and so, I wanted to share our findings.As some of you may be aware,...

Read More

The other reason to beware ExternalInterface.call()

Adobe Flash has a function called ExternalInterface.call(...), which implements a JavaScript bridge to the hosting page. It takes two parameters: the first one is the name of the JavaScript function to call. The second one is a string to pass to this function.It is understood that the first parameter...

Read More

Warning: OBJECT and EMBED are inherently unsafe

Let's say that you maintain an online discussion forum. Assuming that you explicitly specify the type= parameter in your <object> or <embed> markup, what are the security consequences of allowing users to embed third-party Flash movies in their posts when you enforce the appropriate security...

Read More