0patch.blogspot.com
0patch Blog: January 2016
https://0patch.blogspot.com/2016_01_01_archive.html
Welcome to the era of vulnerability micropatching. Friday, January 22, 2016. Bridging the "Security Update Gap" With 0patch. Vulnerability Patches Can be Really Small and Easy to Apply. Yesterday we tweeted a proof-of-concept. Actual micropatch for the "Winshock" vulnerability ( CVE-2014-6321. In Windows schannel.dll. The patch fixes a buffer overflow vulnerability that allowed attackers to execute arbitrary code on any SSL-enabled IIS server. (Thanks to Mike Czumak. In order to replace an executable fil...
0patch.blogspot.com
0patch Blog: September 2016
https://0patch.blogspot.com/2016_09_01_archive.html
Welcome to the era of vulnerability micropatching. Friday, September 2, 2016. The Birth of the World's First Self-Healing Micropatch. Something completely different: w. E just published our first patch for 0patch Agent itself . Self-healing patch, so to speak. It's been almost three months. Open beta has been released and users gave it a warm reception. Among the feedback given there were not only bug reports, improvement requests and thank-yous, but also patches you would like. Got a brainwave :. Andles...
0patch.blogspot.com
0patch Blog: New Release: 0patch Agent 2016.06.14.850
https://0patch.blogspot.com/2016/06/new-release-0patch-agent-20160614850.html
Welcome to the era of vulnerability micropatching. Monday, June 20, 2016. New Release: 0patch Agent 2016.06.14.850. We released a new build of 0patch Agent for Windows today. There are two reasons for this: we'd like to test the updating mechanism with our beta users; and we have fixed a couple of issues reported by our beta users, plus a few minor issues we had on our own hit list. The two issues reported by our beta users were:. Of Zero Science Lab. Root, which would effectively make this a non-issue&#...
blog.acrossecurity.com
ACROS Security Blog: 06/01/2013 - 07/01/2013
http://blog.acrossecurity.com/2013_06_01_archive.html
Thursday, June 6, 2013. Winning An Online Lottery In Just 6 Tries. A Case Study of Logical Error in Online Gambling. Gambling is one of the most profitable business models in the online world. There is no shortage of online betting houses and many state lotteries are setting up their own online equivalents to compete with commercial alternatives (if they fail to regulate them off the market, that is, but that's not today's topic). Let's take a look at a typical online lottery system. When selecting 9 num...
blog.acrossecurity.com
ACROS Security Blog: 05/01/2011 - 06/01/2011
http://blog.acrossecurity.com/2011_05_01_archive.html
Tuesday, May 24, 2011. The Anatomy of COM Server-Based Binary Planting Exploits. May 6, 2011 update: we published a proof of concept for this vulnerability. Last week at the Hack In The Box conference. In Amsterdam we presented some techniques for advanced exploitation of binary planting. Bugs The stage was set by our previous blog post. The Magic Of Special Folders. One of the elements we used in our exploits were Windows special folders. Note that the CLSID must be the extension of the folder name, i&#...
blog.acrossecurity.com
ACROS Security Blog: How Visual Studio Makes Your Applications Vulnerable to Binary Planting
http://blog.acrossecurity.com/2010/10/how-visual-studio-makes-your.html
Monday, October 18, 2010. How Visual Studio Makes Your Applications Vulnerable to Binary Planting. Creating a Binary Planting-Positive Application Without Writing a Single Line of Code. As attendees of the Hack In The Box conference. Learned last week, Microsoft Visual Studio. Makes it possible to develop a binary planting-positive (i.e., vulnerable) application without you having to write a single line of code in just 34 seconds. Let's look at the video first. From the same directory. Resulting in a bin...
blog.acrossecurity.com
ACROS Security Blog: 07/01/2011 - 08/01/2011
http://blog.acrossecurity.com/2011_07_01_archive.html
Friday, July 8, 2011. Binary Planting Goes "Any File Type". File Planting: A Sample From Our Security Research. It's been almost a year. Since we revealed our Binary Planting. Research project which identified 520 remote execution vulnerabilities in almost all Windows applications. During this period, hundreds of binary planting vulnerabilities have been publicly reported and some have actually been fixed. We went further and "extended" the problem to all file types. Java Hotspot VM Configuration Files.
blog.acrossecurity.com
ACROS Security Blog: Is Your Online Bank Vulnerable To Currency Rounding Attacks?
http://blog.acrossecurity.com/2012/01/is-your-online-bank-vulnerable-to.html
Monday, January 9, 2012. Is Your Online Bank Vulnerable To Currency Rounding Attacks? A Hefty Discount Your Bank Never Intended To Give You. While such vulnerabilities can allow an online thief to take a lot of money from bank's customers or the bank itself, doing so would positively qualify as a punishable criminal act in most jurisdictions. Legally Exploitable Security Flaws. To our knowledge, this type of flaw was first described in the 2001 paper titled Assymetric Currency Rounding. How many units of...
blog.acrossecurity.com
ACROS Security Blog: 09/01/2011 - 10/01/2011
http://blog.acrossecurity.com/2011_09_01_archive.html
Monday, September 26, 2011. More Misconceptions About Binary Planting. Last year, soon after revealing our binary planting research project, we published a blog post clearing up five frequently-appearing misconceptions. Misconception #6: "This is a local attack.". Now who isn't doing that on a daily basis? Misconception #7: "It doesn't work remotely on a default Windows machine.". We've heard objections that perimeter firewalls in typical networks won't allow internal Windows computers to access shared f...
SOCIAL ENGAGEMENT