185
votes
Accepted
How can I argue against: "System is unhackable so why patch vulnerabilities?"
The trouble with the situation (as you are reporting it) is that there are a lot of assumptions being made with a lot of opinions. You have your opinions and you want them to share your opinions, but ...
- 134k
165
votes
Accepted
Why does my IT department block Firefox?
Assuming that you work in the bank industry, this is likely due to their inability to intercept Firefox's traffic.
Due to Firefox's support of DoH and eSNI most banks and regulated industries are ...
- 936
128
votes
Accepted
Is it a security vulnerability to tell a user what input characters are valid/invalid?
... that could be useful in an attack but is normally not available to the attacker
Knowledge of invalid input characters are useful but can easily be found by the attacker with just a few tries. Thus ...
- 213k
121
votes
Meltdown and Spectre Attacks
This answer is an attempt at addressing simply the main concerns. The details here might not be exemplary accurate, or complete. I'll try to link to more detailed explanations when possible.
What is ...
- 13.1k
117
votes
Accepted
Does removing a GUI from a server make it less vulnerable?
Removing the GUI is useful and recommended. It will remove unused components, a lot of libraries, and makes the install size smaller.
How does this make it less vulnerable?
Fewer components equal ...
- 56.8k
113
votes
Is this email asking me to sent them $100 for details on a security flaw in my website a scam?
This certainly is not standard practice. Even if this person has found a legitimate problem on your site, it's a form of extortion.
There is proper "responsible disclosure" and professional "...
- 134k
105
votes
Accepted
Is divide-by-zero a security vulnerability?
At issue is that an exception handler will be invoked to handle the division by zero. In general, attackers know that exception handlers are not as well-tested as regular code flows. Your main logic ...
- 35k
101
votes
How dangerous is XSS?
Below are the things an attacker can do if there is XSS vulnerability.
Ad-Jacking - If you manage to get stored XSS on a website, just
inject your ads in it to make money ;)
Click-Jacking - ...
- 1,033
96
votes
Is exploit-free software possible?
The existing answers, at the time of writing this, focused on the difficulties of making bug free code, and why it is not possible.†
But imagine if it were possible. How tricky that might be. There'...
- 9,486
85
votes
On Windows boxes, is patching for Spectre and Meltdown necessary?
the only point of easy penetration to a system seems to be via javascript running in a web browser.
How about Flash? Java? Silverlight? VBA in an office document? Any applications that load web-pages ...
- 11k
78
votes
Accepted
Does CVE-2021-44228 impact Log4j ports?
That CVE does not impact the ports, only Log4j, since it requires the use of Java interfaces (and some JVM versions prevent the vulnerability from being exploited). It may be that the ports have ...
- 9,837
74
votes
Accepted
Who "brands" vulnerabilities?
They are all branded by the people discovering them. There's even a note on the wiki for Heartbleed:
Logo representing Heartbleed. Security company Codenomicon gave
Heartbleed both a name and a ...
- 134k
68
votes
Accepted
Security risks of fetching user-supplied URLs
This particular vulnerability indeed has a name. It is called Server-Side Request Forgery (SSRF). SSRF is when a user can make a server-side application retrieve resources that were unintended by the ...
- 13.4k
67
votes
How can I argue against: "System is unhackable so why patch vulnerabilities?"
If someone tells me that their machine is not hackable and I ought to believe them, I immediately conclude that
The machine is kept guarded under Fort Knox/High security prison conditions, with 24/7 ...
- 863
66
votes
Should we release the security issues we found in our product as CVE or we can just update those on weekly release notes?
You can do either, but I recommend applying for a CVE so that customers who get threat intelligence feeds are more likely to notice the issue and expedite a patch. Assigning a CVE also makes it easier ...
- 136k
60
votes
Why does my IT department block Firefox?
TLDR - It might not be even about security. This could just be due to your company's preference.
A friend of mine faced a similar issue. Firefox is blocked on his office laptop. When asked they simply ...
- 2,752
55
votes
CVE-2018-10933 - Bypass SSH Authentication - libssh vulnerability
... does OpenSSH rely on libssh
OpenSSH (which is the standard SSH daemon on most systems) does not rely on libssh.
I tried looking for openssh v.s. libssh ...
Actually, a search for openssh ...
- 213k
54
votes
Does CVE-2021-44228 impact Log4j ports?
Let me start with some background info. As I understand it, the CVE-2021-44228 ("Log4Shell") vulnerability has three main components:
A design flaw in Log4j that makes it (by default, ...
- 4,551
52
votes
Accepted
Can trusted timestamping be faked by altering some bytes within the document?
You claim that you can make the hashes match with enough computing power. The problem is that given a modern hash algorithm, neither you nor anybody else has this computing power. That's the whole ...
- 38.2k
51
votes
Is divide-by-zero a security vulnerability?
To add another contrived but based on real example:
Many (many) moons ago, my high school was running Novell Netware and had it configured so that students couldn't directly run an dos prompt (which ...
- 611
47
votes
Accepted
Is using 'echo' to display attacker-controlled data on the terminal dangerous?
Is it possible for an attacker, regardless of how unlikely it would be, to exploit this somehow by modifying the content of attackerControlledFile.txt? "Somehow" refers to things like:
This code ...
- 21.7k
47
votes
Accepted
Am I protected from Log4j vulnerability if I run Java 8u121 or newer?
No, you really need to update log4j.
Here is an excerpt from LunaSec's announcement:
According to this blog post (see translation), JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not ...
- 2,430
46
votes
What pages are vulnerable to SQL injection?
Do you trust all of your authenticated users completely? Including that they won't have their accounts compromised by attackers? It's bad if an attacker gets access to an account, but far worse if ...
- 27.5k
45
votes
Accepted
Does client-side data tampering allow more than just evading validation? Dictionary attacks? Brute-force login attempts?
This "Data Tamper Vulnerability" is not a vulnerability. It's like "Door without lock vulnerability."
Client-side validation is not validation. Is a convenience tool: better let ...
- 56.8k
43
votes
How dangerous is XSS?
Maybe a real life example would help to understand how dangerous an apparently minor security flaw like XSS can be.
As part of a security assessment, my company was tasked with trying to access the ...
- 1,282
42
votes
Does removing a GUI from a server make it less vulnerable?
Removing the GUI also has the side effect of making it a bit more "human safe" because put bluntly, it makes the OS more idiot proof.
There are countless stories of small businesses having users ...
- 4,045
42
votes
Accepted
Why is the absence of a Content-Type header with a HTTP 204 response considered a security vulnerability and what should we do about it?
Automated scanning tools are fairly crude, and don't tend to take that kind of nuance into account - the scanner is most likely flagging any HTTP response that doesn't have the Content-Type header, ...
- 18.8k
40
votes
Accepted
HTML login form without a CSRF protection
This is called "Login CSRF" and is indeed a real problem that you should address.
While an attacker couldn't fool a victim to log in to their own account since the attacker doesn't know the ...
- 65.9k
40
votes
How can I argue against: "System is unhackable so why patch vulnerabilities?"
Because you want a multi-layered security strategy with defence in depth. You have a firewall, but what if there's a security vulnerability in your firewall? What if some application exploit gives ...
- 10.3k
Only top scored, non community-wiki answers of a minimum length are eligible