Archived Blog

Black Hat Conference Wrap-up

08.03.2009 - 5:00 PM

We just got back from Black Hat/Defcon and wanted to summarize some of the research highlights of this year's con. If you were following us on Twitter, we tweeted the presentations that we found interesting. We certainly were not the only ones taking advantage of micro-blogging at the con.


Talk of the town...

The biggest discussions outside of the presentations at Black Hat were:

* The ATL vulnerability (CVE-2008-0015) that affected multiple ActiveX Controls. When the controls were compiled, they were statically linked to the vulnerable ATL library within Visual Studio. The vulnerability affected multiple ActiveX controls, including controls in Adobe and Cisco. The researchers who discovered this bug won a Black Hat Pwnie for Best Client-Side Bug.

* The Adobe PDF/SWF 0-day - this generated a lot of talk as well, because there were very few work-arounds, and disabling JavaScript was not one of them. Adobe issued a patch fairly quickly, releasing it late last week.

Both of these vulnerabilities were patched during the week Black Hat was occurring.

If you haven't patched the machines on your network already, here are the necessary links. It's advisable to patch as soon as possible; these vulnerabilities are being exploited in the wild.

Other chatter was the fact that Dan Kaminksy's main website/machine, DoxPara Research, was compromised.

The Talks...

There were some great talks this year. Moxie Marlinspike, Dan Kaminsky, and Mike Zusman discussed some serious flaws surrounding the implementation and model of SSL. Kostya Kortchinsky's talk demonstrated a vulnerability that allowed him to break out of a VMware guest. SMS flaws were discussed, and even the San Francisco parking meters were shown to have vulnerabilities.

Here is a list of the talks we attended and felt worth special mention:

Here is a list of talks we wished we had attended, but we were either at another talk, or sleeping in. =]

  • Mark Dowd, Ryan Smith, David Dewey - The Language of Trust: Exploiting Trust Relationships in Active Content Movie
  • Egypt - Using Guided Missiles in Drive-bys: Automatic browser fingerprinting and exploitation with Metasploit Slides
  • Jeremiah Grossman, Trey Ford - Mo' Money Mo' Problems: Making A LOT More Money on the Web the Black Hat Way Slides
  • Nick Harbour: Win at Reversing - Tracing and Sandboxing through Inline Hooking - Slides API Thief tool
  • Kostya Kortchinsky : Cloudburst: Hacking 3D (and Breaking Out of VMware) Paper Slides
  • John McDonald, Chris Valasek - Practical Windows XP/2003 Heap Exploitation Paper
  • Mikko Hypponen - The Conficker Mystery Paper Slides

Great con this year. We especially want to thank some of our gracious hosts for the invites to the conference parties - McAfee, Core, Microsoft, Facebook, ISEC, and iSIGHT Partners. Some parties were great, and some were...out of the ordinary, but maybe to be expected for Vegas!

Bookmark This Post: