When anti-virus goes rogue – A trifecta of Defender zero-days
Full disclosure carnival turns ‘Defender’ into ‘Attacker.’
Remembering the past is really useful, especially in cybersecurity, where we apparently need to re-invent and re-implement precautions and protections that we knew about perfectly well many years ago but somehow managed to forget.
Sometimes, of course, history is mysteriously exciting too, especially when we can’t be sure what our predecessors were up to, but are amazed and astonished by their activities anyway.
Just ponder the mysteries of sites and artifacts such as the Uffington White Horse, Skara Brae, the Nazca lines, the Antikythera Mechanism, and Göbekli Tepe.
Or consider the delicately delightful Golden Rhinoceros of Mapungubwe, as seen in the featured image at the top of this article.
Through modern eyes, you might reasonably assume it was made as art that projected both value and beauty – but why, and by whom, and for whom, and what did they say when they saw it for the first time?
Well, here’s a historical record of the internet that’s interesting, informative, and surprisingly important to visit, even when you aren’t specifically looking for the how-to or the must-have of a protocol or a packet format.
Welcome to the RFC INDEX.
RFCs are requests for comments, the internet’s way of creating standards that everyone can (and largely does) adopt, following a community-oriented, non-authoritarian approach.
The RFC collection was edited for many years by the late, great Jon Postel, who is remembered in two eulogies written on his death in 1998 and published, of course, as RFCs: RFC 2441 by Danny Cohen, and RFC 2468 by Vinton Cerf.
I doubt that anyone could possibly duplicate his record, but it stands as a measure of one man’s astonishing contribution to a community he knew and loved. [V. Cerf]
Jon set the standards for the Internet standards․․․ Jon was an authority without bureaucracy. [D. Cohen]
RFCs started at 1 (not, as you might perhaps expect from C programmers, from zero), and about a year ago, I jokingly wondered when the first RFC needing five digits would appear.
That would create an RFC10K moment for anyone who had grown accustomed to writing RFC numbers in at most four digits, perhaps left-padding with zeros the few pre-1000 RFCs we still refer to more than occasionally, such as the mighty 0822, from which we get the appearance and meaning (or syntax and semantics if you would like to sound grand) of email addresses.
My graph, crudely extrapolated with a straight line, suggested that a 5-digit RFC would arrive some time just before the middle of 2026, presumably in the month of June, perhaps just in time for the solstice.
And that’s what happened.
The first five-digit RFC to appear in the official index (they don’t all get accepted, and they don’t always get finalized in the order they were submitted) was RFC 10008, following on the heels of RFC 9998.
In case you’re wondering, RFC 9998 can be considered gnarly at the very least, entitled as it is Report from the IAB/W3C Workshop on Age-Based Restrictions on Content Access.
This RFC notes as objectively as it can that this is a thorny issue indeed, writing its headline to section 3.4 that Privacy and Trust Expectations Need Further Discussion.
Indeed, this issue is one that several governments in the world seem determined to “solve” by inviting private companies to operate mandatory services that scan, collect, scan, process, and store identity-related data such as passports and driving licenses.
This implicitly “identifies” anyone too young to have such documents (or not sneaky enough to have access to fake or stolen ones) by the somewhat back-to-front method of explicitly identifying everyone else, even those who are quite obviously old enough to initialize an operating system, set up a mobile phone, or install a social media app without asking for permission from a for-profit company, possibly in another country, collecting data for the authorities.
To repeat the RFC: privacy and trust expectations need further discussion.
RFC 10008, in contrast, is entitled simply The HTTP QUERY method.
Despite its apparent simplicity, it’s been welcomed by web coding experts, because the current way of asking a web server for information is either to use a GET request or a POST request.
The problem with GET requests is that the stuff you want to search for, which might include personal information, is tacked on at the end of the URL itself, and URLs have a nasty habit of ending up written into log files, added to technical reports, or scraped and ingested by search engines and AIs.
And POST requests are really intended for submitting data that is meant to be processed by and perhaps added to the collection of information that the web server maintains.
Simply put, POST requests may ultimately change the web server’s layout and content or its back-end databases, so two successive POSTs can’t be assumed to produce identical results (and don’t have to), and therefore a POST can’t sensibly be cached.
And so, for the first time, a QUERY doesn’t have to be done as a POST.
The former asks a question, for which there should be a definitive answer, while the latter is more of a demand to accept and absorb in some way the data that follows.
A QUERY is no longer a POST under false pretenses – there’s a formal way to let the other end know that you are asking for information about data already in the system, not merely submitting data that may or may not become part of it.
So, there you have it – the answers to three questions you didn’t know you needed to ask!
Q1. When will RFC10K happen?
A1. June 2026.
Q2. How do I ask a web server about something without ambiguously seeming to be telling it about that thing at the same time?
A2. Use the new HTTP QUERY method (assuming the server supports it, of course).
Q3. How cool would a golden rhinoceros be?
A3. See above.
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image via Wikimedia commons, by Sian Tiley-Nel, under CC BY-SA 4.0.
Full disclosure carnival turns ‘Defender’ into ‘Attacker.’
Phishing remains one of the most prominent attack vectors in use today. According to the Cybersecurity and Infrastructure Security Agency (CISA), over 90% of all cyber attacks begin with phishing. Two core reasons for phishing’s prominence are: By the end of Q4 2022, the number of phishing attacks worldwide spiked to over 1.35 million. Phishing is often the first step in far more sophisticated attacks, such as: Investing in fortifying your business against phishing attacks is one of the more […]
AI dominates headlines and newsfeeds these days, and AI-related cybersecurity headlines are no exception.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
