Jump to content

IanR

Members
  • Posts

    3
  • Joined

  • Last visited

Everything posted by IanR

  1. Eset is one of the best AV products, but no AV product can protect against nonreplicating malware which has never been seen before. Much of today's malware falls into that category, often being spread by way of spoofing users into installing fake 'updates.' The flood of updates is in turn mainly created by the security issues with C and SQL. And, to a lesser extent, by Javascript XSS issues. You might find this applet helpful in preventing spoof attacks. It basically stops executables from being launched in typical browser download folders, and unlike UAE, it can't be absentmindedly OK'd to. (and since it's on sourceforge I think it can be assumed it's not a spoof!)
  2. The whole Web seems like it's disintegrating, securitywise. Heartbleed Ebay Avast Office Gameover Zeus Eset Of course we don't know the full lowdown on most of these yet, but we do know that Heartbleed is a buffer over-read, basically a C programming language weakness, and Gameover Zeus is basically propagated by user spoofing. It's my guess that most of the others were either SQL code injections (highly likely) or Javascript XSS. It strikes me that there is a need for a drastic overhaul of the whole software coding scene; If Windows XP is frowned on as insecure, then so should be SQL, in fact it is far older and has infinitely worse security issues than WinXP. Likewise, application programmers should be discouraged from using C or C++ with their inherent buffer overflow vulns. Until we get these two sorted out, the hackings will continue. The irony of it is that even before the Internet era there were plenty application and database languages that didn't have these issues. It seems like the choices made in the early days were the absolute worst ones possible from a security standpoint. The choice of C for early 8086 machines is understandable in that its poor security was unimportant on a standalone PC, and it gave the fastest perfromance bar assembly code. But, the choice of SQL for content-managed websites was totally inexcusable. By that era the need for security was apparent, and the unsuitability of a language which doesn't understand variables and thus has to take its input as mixed commands and literals (where the literals may themselves be malicious commands) should have been obvious. Dropping these two flawed coding tools will be a painful process with the amount of library code based on them, but IMHO it has to be done if users are ever to have confidence in online apps.
  3. Found this thread: https://forum.eset.com/topic/653-jssecuritydisableragen-potentially-unwanted-application/
×
×
  • Create New...