I’m already back in the airport after a long day over at the world OWASP conference in New York. Among other things that were noteworthy was some extremely tacky marketing schwag from the ISC2 folks that says, “I fill the holes in your SLC”. I feel dirty having even typed that. I wish I were kidding. Ridiculous pictures of Dave Aitel wearing said schwag may or may not end up online in the near future. In the meantime, I wanted to do a brief overview on where we are and how things are progressing.

Jeremiah and I gave a brief talk yesterday outlining the timeline of events, and high level concepts of what was going on. We didn’t talk specifics other than some personal remediation advice - yes Lynx is your friend. I felt really lame giving a speech saying I wasn’t giving a speech, trust me. This was not a career highlight, by any stretch. Hence the self flagellation of telling everyone to loose a volley of squishy OWASP balls at me. I missed most of the volley in the picture I took of it, but you can still clearly see several of the OWASP balls in flight:

Click to enlarge

Jeremiah and I answered quite a few questions from the audience before, during and after the speech, and I’m sure a number of people are already working on their own versions of what they think we’re up to, given that a number of people were quick to tell us they were working on some demo code of some aspects of their interpretation of what we were talking about. I’m sorry to be vague, I really am.

Lastly, we did tell the audience that we will most likely be releasing a whitepaper on the informer’s website of Hackers for Charity prior to doing our full announcement (maybe a week or so before). It’s just a nice thing to do for kids, and we totally support Johnny Long’s efforts. Please sign up. It’s a good cause. If you must know the details and are too cheap to help kids in third world countries or you happen to be a kid in a third world country, I’m sure it will leak out in other ways and we’ll also post the whitepaper publicly later as well.

So, no time line still as of yet, but we are getting regular updates from Adobe and we’re confident they are being as expeditious as they can without risking introducing other issues in the process of issuing their fix. We’ll keep you updated.

There’s been a bit of drama over the last week or so around the upcoming world OWASP conference in New York. It’s surrounding a talk that Jeremiah and I were planning on doing the first day of the conference. Jeremiah and I have been working on some interesting browser security issues which also effect a lot of downstream people/websites/technologies as well. Sounds like a good talk right? We thought so too!

Alas, it turns out that some of the issues we found weren’t just a little bad - they were a lot bad. So bad, in fact, that we felt compelled to do some responsible disclosure. One issue lead into another issue into another and poof - we have at least two and probably more incoming vendor patches at a yet to-be-determined date. And we’ve only worked with a few vendors. So… yah. It’s pretty bad.

As you may have guessed the first is a browser company, Microsoft (to be expected since it’s a browser issue to begin with). The second is Adobe - who have been working closely with us on this one since we first told them about the problem. We have been working on proof of concept code since before Blackhat and finally got our ducks in a row with real working exploit code a few weeks ago. And that is pretty much when the problems started. None of the issues we found relating to the browser were particularly easy to fix, it turns out.

The related issues we found that affect websites (instead of browsers) is thankfully slightly easier to deal with on a one off basis, but that too is going to be a problem. There are a lot of much easier hacks out there against websites for sure, but what we’ve been working on breaks some previously good security measures. The correct solve will not be patching every web-site on earth. Instead it will likely end up being a browser patch against every major browser. The idea of every webmaster in the world patching their own sites is a non-starter. Although I’m sure lots of people are going to run out and patch their sites rather than wait for the normal browser patch and release cycle for all browsers everywhere. We’ve discussed the high level concern with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solve in sight at the moment.

So, after much deliberation we opted to pull our speech voluntarily, due to the extremely neutered information we’d have to be sharing. We’d much rather share the full breadth of what we found when it can be discussed more openly as to not diminish the danger of the flaw by only talking about small parts of the issue. There will still be holes in many websites due to this problem even after the short term patches are available, but we’d rather a few of the more critical problems get patched before we go public.

However, I must stress, this is not an evil “the man is trying to keep us hackers down” situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on. We proactively decided it was better to pull the speech ourselves for the time being and for anyone who was looking forward to the speech all I can say is I hope to make it up to you once the vendors are in a better spot. It wasn’t an easy decision but it really feels like the best option we have given the current situation. If you’re desperate for a way to patch your browser from the issue disable scripting and plugins for the time being. More to come.