. Several buffer overflows in command line utilities were found by a Spanish security firm "Pentest".
This has been reported on several websites these last 48 hours. But I can't understand all the fuss. Yes, it's a (local) vulnerability. Yes, Secureplatform is EAL4+ certified. But then again, Microsoft Exchange 2003 is also EAL4+ certified. So what does that say? What's under fire here? Secureplatform as secure OS or the EAL certification process?
What does the EAL certification give us then? It gives us a template we can use to better integrate a product into a layered security approach. It isn't a holy grail. Remember, security is a process, not a product.
See:
- CheckPoint Secure Platform Multiple Buffer Overflows, posting by Hugo Vázquez Caramés
- Checkpoint Secure Platform Hack (PDF), analysis by Pentest
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment