So after a long time fuzzing to figure out the new bug, turns out its two new bugs =p (probably from the same code though). I am still waiting for Palm to get back to me on the new one, but I suspect they will want to fix this =]
-Ladd
Tuesday, June 30, 2009
Palm Patched my vulnerability in WebOS
Palm recently put out a new patch that addresses a vulnerability that I had discovered back on June 17th 2009 in the new WebOS for the Palm Pre. In my first disclosure to them, I included one critical issue and 2 minors issues.
After some quick testing last night, the critical issue was fixed, however I have a potential new one that I will be sending to them today once confirmed.
The Patch notice: (My name is halfway down under 1.0.4)
Palm Patch Notes
To show Palm's commitment to security, I wanted to show you the time line of events surrounding my disclosure and the rapid response.
6-16-2009 Critical Vulnerability discovered and validated
6-17-2009 Palm contacted to setup meeting/discussion
6-18-2009 New minor vulnerabilities found
6-21-2009 Palm contacts me, I send full disclosure to them
6-23-2009 Brian Hernacki contacts me and verifies critical issue states will be patched
6-29-2009 Vulnerability is patched
I have not included any specific details on the matter from WebOS 1.0.3 as I have been asked to wait until more people are completely patched.
That being said, when given the green light, I will provide more details on the matter.
-Ladd
After some quick testing last night, the critical issue was fixed, however I have a potential new one that I will be sending to them today once confirmed.
The Patch notice: (My name is halfway down under 1.0.4)
Palm Patch Notes
To show Palm's commitment to security, I wanted to show you the time line of events surrounding my disclosure and the rapid response.
6-16-2009 Critical Vulnerability discovered and validated
6-17-2009 Palm contacted to setup meeting/discussion
6-18-2009 New minor vulnerabilities found
6-21-2009 Palm contacts me, I send full disclosure to them
6-23-2009 Brian Hernacki contacts me and verifies critical issue states will be patched
6-29-2009 Vulnerability is patched
I have not included any specific details on the matter from WebOS 1.0.3 as I have been asked to wait until more people are completely patched.
That being said, when given the green light, I will provide more details on the matter.
-Ladd
About Me
Who:
My name is Townsend Ladd Harris and this blog will be dedicated to all my security related work. Ultimately I am doing this because my friends Chris Rohlf (http://em386.blogspot.com) and DanCzar keep nagging me to talk about my findings somewhere =p. I am currently employed at Sypris Electronics in Tampa.
What:
Currently my main focus of my research these days has been working on the new Palm phone that recently came out, which I will post on in a few.
If anyone wants to find me, I am usually in the #webos-internals IRC channel on freenode working with the rest of the Palm Pre homebrew community. I recommend checking out http://predev.wikidot.com and http://www.precentral.net/ if you want to help as well.
My name is Townsend Ladd Harris and this blog will be dedicated to all my security related work. Ultimately I am doing this because my friends Chris Rohlf (http://em386.blogspot.com) and DanCzar keep nagging me to talk about my findings somewhere =p. I am currently employed at Sypris Electronics in Tampa.
What:
Currently my main focus of my research these days has been working on the new Palm phone that recently came out, which I will post on in a few.
If anyone wants to find me, I am usually in the #webos-internals IRC channel on freenode working with the rest of the Palm Pre homebrew community. I recommend checking out http://predev.wikidot.com and http://www.precentral.net/ if you want to help as well.
Subscribe to:
Posts (Atom)