Advisories | What security breaches we've found
Sub Section: Commercial - Freeware/Opensource
We've been trying ourselves best to secure the open-source users community by auditing open-source applications.
However, you probably think that new fixed/patched versions of our tested applications seem to be secure, which is totally wrong. It's False Sense of Security. Developers who don't take security seriously make the codes flawful as ever. Flaws are bundled together with new code changes and new features.
We don't intentionally hunt for vulnerabilities. The following ones are some of what we came across. [more...]Surely enough, we are not the only ones who found such holes. Many security researchers may have found the same holes at the same time or so. According to hacker code of ethics, we never do any harm or damage to our tested target (Yes, to do damage is one further step that exploits found weakenesses). and make disclosure only after vendor has been reported. But some vendors don't get back to us even after weeks of reportings;hence we assume that they ignore our findings of insecurity. There is no patch for ignorance.
We always find it difficult to explain security-knowledge-lack-and-stubborn-to-fix developers about security risks, threats and vulnerabilities. There are always many common myths of security - Today secure and Tomorrow hacked. That's why we can't tell you something like “ Hey, guy This is a protection code - Use this and your life will be forever secure! ”
Since July '09, we've now believed in FD (=full disclosure). We've been reporting numerous vulnerabilities to various vendors, a few of them take interest in fixing their security holes. Only FD will be a better force towards them to fix. Our main concern is about users. Our disclosure will give benefits to security-aware users who can take countermeasures to defend themselves.