This is another video taken from Dustin’s Android.

The video is a little choppy, but it isn’t too bad.

Jax and I took out the 600 today.  He is filming, I am at the controls.

Unfortunately, the sound is about ten seconds off.  What you hear, you see ten seconds later.  Sorry.

It is also noteworthy to say this is the rebuilt, regeared version of my top 600 after a sad day in the snow…

It was sad, but we all know, “If you fly ‘em, you’re going to wreck ‘em.”  I look at this 600 as pre-disasterized!  She flies so beautifully now. 

I hope everyone enjoys this and with a little luck, the next one may even be better.

Jax talked me into doing a loop in front of the shop while Daijoubukun filmed it on his Android. It is remarkably good for a phone. They could make it better by adding a zoom feature, but that’s a story for another time. Today I want to feature the bird. It is a Align carbon fiber Trex 500 with a Scorpion motor and running on an Outrage battery. We aren’t doing anything fancy. In fact, it was far from ideal flying conditions. There are cars driving by, people walking around, power lines. All in all not a place to be doing acrobatics!

For its monthly Patch Tuesday, six bulletins (three critical and three important) will address 15 vulnerabilities, although no patches are offered for Windows 7. Jerry Bryant, security program manager for Microsoft Security Response Center, said: “Customers should plan a restart for the Windows bulletins. The Office bulletins may not require a restart if the components being updated are not in use.” They are really starting to address the ssl issue I told you about in August. They go on to say, “We won’t see anything to remediate this flaw on Patch Tuesday, but if a number of active exploits start to appear in the wild, then we will most likely see out-of-band patches issued from pretty much every vendor as it is such a widely used protocol.” One could assert, the arms race has officially begun.

I was reminded, the other day,  I haven’t posted anything in a while by a buddy.  So, I asked him, “Well, what should I write about? The four Adobe zero day’s of late?  Maybe, I should talk about our president and his recent prize?”  He said,”Yeah, something!”

Okay so I thought about it and now I say, “Naa, frankly, I am tired of all that stuff.”  Instead let’s talk about something completely different.  So, follow me to what could potentially become the favorite movie you never heard of.

Check out the trailer for “Hold Fast” and if you are motivated, go over to Blue Anarchy Sea Collective and torrent the whole thing.  Conversely, you can also get the DVD from Microcosm Publishing.

Some of you may recognize Blue Anarchy as one of Moxie Marlinspike’s websites.  I have mentioned his tools on Thoughtcrime before. If I were to characterize him, I would have to say he is quiet, unassuming and wickedly brilliant.  He writes about his adventures at sea and squatting nightmares, not to mention how to build a boat, navigate by the stars, and rig your vessel for a broad reach where you don’t touch the tiller for a month.  This guy has a story to tell and he tells it well.

“Hold Fast”

via videosift.com

Microsoft Internet Information Server (IIS) FTP server NLST stack buffer overflow

Microsoft Security Advisory (975191) and Vulnerability Note VU#276653

While there are no patches yet and likely none for the next patch Tuesday to fix this flaw, there are some things you can do to decrease the likelihood of being exploited.  The first and most important thing you can do is disable anonymous FTP.  For servers that allow anonymous file uploads, the attacker would typically be unauthenticated and thus unrestricted.  You should also prevent creation of new directories using NTFS ACLs and you should also prevent anonymous users from writing via IIS settings.  To detect the attacks you can find snort rules available already at http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2009-09-01.html.

The exploit, discovered by Kingcope, is in the wild currently and is available at milw0rm.

I have talked about these vulnerabilities before, and want to update you a little bit about it’s progress.

Paul Royal, principal researcher for Purewire, says a vulnerability in the latest versions of Adobe’s Flash Player allows criminals to take complete control of end users’ computers Royal says, the technique uses a 1.1 kilobyte Adobe Flash file to target the vulnerability.

Right now, it has been reported that  a few major Antivirus vendors catch the SWF poisoned file as Trojan.Pidief.G however there are many that seem to be overlooking it.

To add to the madness, as if that weren’t enough, popular websites that the exploit could be encountered from, are legitimate sites whom they, themselves, have been compromised.

It is very difficult to protect one’s self from this type of attack. NoScript in Mozilla 3.5.2 (or later) will help, but you still have to be on your toes. While there are only a very small group of researchers that are aware of it today, eventually it will hit milw0rm and those numbers could change radically.

There is also a lesser known yet just as powerful version where a pdf has the exploit within it.  Symantec was reported as having said, “you can block this method by preventing Adobe Reader from running Javascript.”

CERT says to disable Flash by renaming the authplay.dll and rt3d.dll files.

Adobe has released product updates to Adobe Reader, Acrobat and Flash Player to resolve the relevant security issues.

There is a tool (Secunia PSI) out there that will help you know if your software is up to date and all of your patches are applied.  Just like the NoScript in Firefox 3.5.2 (or later), it will help, but it means you have to stay up on it.

As a side note:

Julia Wolf from FireEye wrote an informative article about how Actionscript can be used to spray the heap. Doing this details clearly why turning off JavaScript will not protect you.

So every year after Blackhat – DC, they have the pwnie awards.  While I was busy talking about Moxie and Dan’s concepts, I totally failed to mention the awards. Well they are up and you can see ‘em here.

TechWebTV
July 16, 2009
Google announced a browser-based operating system (Chrome OS) that will run on Netbooks. InformationWeek’s Alex Wolfe and Fritz Nelson discuss its impact and feasibility.