Support for MacOSX/Intel, this support requires SSE2, as does MacOS itself.
Support for runtime status updates (send a SIGHUP to the running john processes).
Several minor bugfixes
Two papers are now available that demonstrate inter-protocol security issues - Inter-protocol Communication and Inter-protocol Exploitation. Among other things they show the practicality of encapsulating exploit code in one protocol to compromise a program which uses a different protocol.
An example is provided that shows how a web browser can launch a MetaSploit type exploit to own an Asterisk server. Of course, this raises concerns over the (in)effectiveness of firewalls against this attack.
A common implementation flaw in FTP clients allows FTP servers to cause clients to connect to other hosts. This seemly small vulnerability has some interesting consequences for web browser security.
This paper discusses how the flaw affects Firefox, Opera and Konqueror.
BeEF the browser exploitation framework has been released. The current version is beta and still a work in progress but it should be easy to install.
Its purposes in life is to provide an easily integratable framework to demonstrate the impact of browser and cross-site scripting issues in real-time. The modular structure has focused on making module development a trivial process with the intelligence existing within BeEF.
It doesn’t take an Einstein to start linking web application attack vectors. In the “Inter-browser Communication” (IBC) blog I illustrated one basic method to maintain indirect real-time control over a browser (including data transfer). Using IBC it possible to load tools (in real-time) such as a port scanner to the controlled browser and retrieve the results. Following this logic, an entire HTTP Suite can be developed to attack internal networks using the browser as an unsuspecting proxy. Not to mention the extra dimensions that XSS viruses add.
Cross-site scripting (XSS) models are commonly thought to be the server controlling the browser. That is, all commands have come from code residing on the server. This is not necessarily the case. Control can be one browser (in)directly controlling/communicating to another. One method of browser-to-browser communication is employing an intermediate web server.