Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Issues affecting sites using Sitemeter [resolved]

Published: 2008-08-02
Last Updated: 2008-08-02 23:28:18 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

We received several reports (thanks Thanos and Jim) of sites which use the Sitemeter visitor counter that were no longer loading as of last night for users with Internet Explorer 7.

It appears that during a development update of SiteMeter, their team did not take into account a known bug in this version of the browser which does not allow modification of a parent container using scripts in one of its childs (using either the innerHTML or appendChild method). This causes the browser to stop loading the site, returning an "Operation aborted" message.

SiteMeter has now resolved the issue and published a blog entry explaining what happened. Just as with advertisement providers and the republishing of RSS feeds, it's an interesting example of how dependent our sites have become on third party code and the potential impact.

Keywords: sitemeter ie7
0 comment(s)

BIND: -P2 patches are released

Published: 2008-08-02
Last Updated: 2008-08-02 11:12:39 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

As expected, the Internet Systems Consortium released patches today addressing stability and performance issues some of those having significant load on their systems were struggling with.

Happy patching!

--
Swa Frantzen -- Section 66

Keywords: bind dns
0 comment(s)

A little of that human touch

Published: 2008-08-02
Last Updated: 2008-08-02 06:25:22 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Several times each week, the Internet Storm Center is requested to broker between parties who have found vulnerabilities, and the corresponding vendors of the software or services affected. While we're always happy to assist, the reason for our involvement has much less to do with animosity between both parties than with the availability of either one of them.

Many accidental finders of a security problem bump into issues when trying to report it to the vendor of the software or service. The last thing someone reporting an issue wishes to do is to spend twenty minutes logging a support case, only to be halted when they are requested for a serial number. There are situations in which a non-direct client may have become aware of a security issue in your product. Even in that case, you *really* want to know.

If you're a software vendor or services company, please take some time today to ensure you have security contacts listed on your public portals. It's always a good idea to ensure these details are known to organizations such as CERT, oCERT, the Storm Center and public resources such as the open vendor database at OSVDB. Nothing beats making it clearly visible on your site, where it's trivial for everyone to find.

Cheers,
Maarten

0 comment(s)
Diary Archives