Node’s new lead, Windows security disappoints, TCL is 25 and Brightbox is dim – Snippets


  • New project leader for Node.js: Isaac Schlueter has announced he’s standing down from project leading Node.js and handing the reins to TJ Fontaine who’s been working as “the primary point of contact keeping us all driving the project forward together”. Schlueter is off to create npm Inc, a company focussed on npm products and services; it will be interesting to see how that pans out.

  • Windows Native Isolation inadequate: Joanna Rutokowska, CEO of Invisible Things Labs, had previously said that they would be looking into using Windows Native Isolation (WNI) as a way of bringing their research with Qubes OS and its security isolated application architecture to Windows. Now in a posting Rutokowska says despite the time invested in creating Qubes WNI, the results have been disappointing and adds “today we publish a technical paper about our findings on Windows security model and mechanisms and why we concluded they are inadequate in practice”.

  • Tcl is 25: Tcl (Tool Command Language (often pronounced Tickle)) never really made the major leagues in programming languages but it did lead the way in embeddable scripting languages. A 25th birthday posting at TkDocs picks up on the oddness of syntax and some of the sweet of the ideas in Tcl, like Tk – a GUI language which worked everywhere? Madness!

  • EE’s Brightbox isn’t bright: The EE Brightbox has quite a few holes in its security. In an article by Scott Helme, Scott takes his Brightbox apart in a step by step look at finding vulnerabilities in routers. Guides like this are useful for developers to see so they get a better idea of what people are prepared to do to their code to get access. And get to the end for a 11 second guide on disposal of insecure devices.

Microsoft and Adobe’s October Patch Tuesday – Security Snippets


  • Microsoft’s Monthly: It’s remote code execution holes all the way down in this months Patch Tuesday. From a bundle of Internet Explorere fixes in MS13-080 to a crunchy critical remote code execution and extra ‘important’ privilege escalation holes in Windows drivers, MS13-081 going all the way back to XP SP3 and all the way up to Windows 8. But wait, there’s more according to the cumulative advisory, MS13-Oct. Critical remote code execution holes in .NET Framework (MS13-082) and Windows Common Control Library (MS13-083) and “Important” remote code execution holes SharePoint Server (MS13-084), Excel (MS13-085 and Word (MS13-086) are also reported. There’s also an information disclosure hole in SilverLight (MS13-087). Fixes available from your friendly Microsoft Update service.
  • Adobe patches help up: Adobe’s fixes for this month have also been released. As well as the usual Reader and Acrobat fixes, developers who use Adobe’s RoboHelp will want to check out APSB13-24 as its a critical hole which could enable code execution. Adobe are priority rating 3, as it’s “not historically been a target for attackers”, but there’s always a first time.