News about Linux security, security alerts and exploits

 PC Magazine Honors Astaro Security Linux, Dec 30, 2004

Astaro Security Linux was named PC Magazine's Best Business Security Solution and Editors' Choice in the publication's year-end edition.

iDEFENSE has discovered a flaw in Xpdf, an open-source viewer for Portable Document Format (PDF) files included in most Linux distros.

Unpatched Linux systems are surviving longer on the Internet before being compromised, according to a report from the Honeynet Project released this week.

The PHP development team has released an update for the widely used scripting language that fixes a number of highly serious bugs, according to the project and independent security researchers.

The Linux operating system has many times fewer bugs than typical commercial software, according to an upcoming report.

A security researcher has uncovered yet another set of security flaws in an image component which could put Linux users at risk of system compromise if they view a maliciously crafted image.

Faced with a growing number of viruses hitting his network, small businessman Ralph Piche decided to switch to a Linux-based operating system for his desktop, rather than upgrade to the latest Windows offering.

A graphics-handling based security flaw has been exposed in GNOME desktop environment, which could allow machines to be compromised if security experts are to be believed

"The [Linux] users who use default settings or do not harden for security are increasingly at risk," Dunham said. "They don't harden against attack -- they're not patching and they're not ensuring their passwords won't be attacked. That audience is growing increasingly for Unix and increasingly with Linux, which is now being sold at Wal-Mart."

The most secure system during the experiment was the one running Linspire's Linux. Out of the box, Linspire left only one open port. While it reacted to ping requests by automated attackers sniffing for victims, it experienced the fewest attacks of any of the six machines and was never compromised, since there were no exposed ports (and thus services) to exploit.

Several major Linux vendors have warned they are vulnerable to four flaws in a widely used IMAP e-mail server from Carnegie Mellon University's Cyrus Electronic Mail Project. The flaws could allow an attacker to take over a server.

A flaw in Sun Microsystems's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs.

The controversy surrounding a negative Linux security report lingered this week after the author issued an open letter to the media and an Australian firm weighed in with fresh criticism.

The X.Org Foundation and several Linux vendors have released updates for the X Window System technology on which most Linux graphical front-ends are based, fixing serious security flaws in a graphics-manipulation component.

This edition of The Locksmith provides a breakdown of the latest update to the SANS-FBI list of the top ten most exploited security threats in Linux/UNIX systems.

A fake security bulletin purporting to be from Red Hat resurfaced, warning Linux users of a "critical-critical" security hole.

A security expert this week reported two potentially significant bugs in Linux software used to share file and print services with Windows-based systems.

According to Trend Micro, the number of Linux viruses and worms reported in the wild between June and November of last year increased five-fold, from 100 to 496, and is still growing.

Linux distributor SUSE has warned of one of the most serious security holes to date in version 2.6 of the Linux kernel, which could allow attackers to shut down a system running 2.6-based software.

Linux experts slam a report naming the OS as a favorite hacker target, citing methodology flaws and "suspicious" conclusions

Linux operating systems offer the worst track record, according to Mi2g, with Windows coming in second.

In this article we'll discuss the claim made by proponents of open source software that such software is more secure. Is open source really inherently more secure than closed source commercial software?

The Windows vs Linux security debate has been given a fresh lease of life following the publication of a study by well-known tech journalist Nicholas Petreley which predictably concludes that Microsoft "Get The Facts" campaign does not deal with the "real facts."

MPs and security experts are attacking the government for its decision to use Windows 2000 on its submarines

A bug in version 2.6 of the Linux kernel allows remote users to crash systems running SuSE's latest enterprise and consumer software

Melbourne firm Cybersource has taken the idea of a read-only device to its logical conclusion and come up with what it calls a Safe Internet Computer, one that runs off a CD and is immune to worms, spyware and all the other filth that inhabits the internet these days.

Linux maker Red Hat is warning users about an e-mail that pretends to be an official security advisory but is actually a phishing-type scam that contains links to malicious code.

Linux users running a 2.6 series kernel and using iptables for firewalling have been advised to upgrade to fix a bug which could be exploited remotely to cause a denial of service.

Secure version of operating system seeks to compete with Unix

With costs of software flaws exacting a huge toll on organizations -- NIST pegs it at nearly $60 billion annually in the U.S. alone -- many security experts advocate the use of open-source applications, which they say have fewer undiscovered, unpatched flaws.

The race is on to deliver a version of the Linux open-source operating system that will be more secure than any of its predecessors but also manageable and affordable enough to garner widespread acceptance. Linux developer MandrakeSoft SA and a consortium of European software makers have tossed their hat into the ring, as has Trusted Computer Solutions Inc., a maker of software used by government agencies and businesses to securely transfer sensitive data.

RealNetworks Inc. recommends users download updates it released to patch multiple security holes in RealOne Player, RealPlayer and Helix Player. An attacker could use the vulnerabilities to launch malicious code and delete files.

Open source may have many benefits over closed systems, but don't count security among them--yet. This article looks at why open source software may currently be less secure than its commercial counterparts.

Vulnerabilities in code libraries that could potentially affect open-source programs using the GUI toolkit GTK+ were reported on the security Web site Secunia on Thursday. As initially discovered by Chris Evans, these problems could theoretically be exploited to spark a DDoS (distributed denial of service) attack and otherwise compromise a computer system.

In response to the growing number of viruses infecting computers, a spokesman for Germany's Federal Office for Information Security (BSI) has suggested that users consider alternatives to Microsoft's Internet Explorer (IE) Web browser. But the agency did not recommend that users steer clear of Microsoft products, the spokesman said, refuting a press release issued Tuesday by browser developer Opera Software.

The Samba Team released on Tuesday a patch to fix two flaws that could result in disruptions for networks using the widely installed Unix and Linux software.

The two relatively minor flaws could crash or make unresponsive systems running version 3 of Samba, an open-source software package that allows Windows files and printers to be shared by Unix and Linux systems.

Open-source developers have warned of serious security holes in two Linux components that could allow attackers to take over a system by tricking a user into viewing a specially-crafted image file or opening an archive. Patches exist for the bugs, which affect LHA and imlib.

Fixing the Qt flaw quickly was a priority, said Thomas Biege, a member of the SuSE security support and auditing team, in an interview with LinuxInsider. "Every application which is linked against the Qt3 library and used the vulnerable function of image handling can be crashed or exploited to execute arbitrary code by processing a malformed image," he said.

Anti-virus software is definitely a challenge for the open-source model, and while there is at least one active program, there's no good evidence of how well it works.

The anti-virus business is an interesting one. On the one hand, it's amazingly competitive on a worldwide basis, even if Symantec dominates the U.S. consumer market; there are a lot of companies in this business. But it's also a disappointing business technologically. The companies are not out to solve a problem as much as to acquire an annuity stream in the form of subscriptions for signature updates.

Opera last week updated its browser to defend against a vulnerability that could allow an attacker to spy on private emails or computer files.

A flaw in versions of Opera prior to version 7.54 makes it possible for attackers to read (but not alter) files on a victim's PC or snoop on mails emails written or received by M2, Opera's mail program. The vulnerability also opens the door to cookie theft, URL spoofing (which can be used in phishing attacks) or tracking a user's browsing history.

Six vulnerabilities in an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X.

The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image.

The biggest proportion of attacks on Linux systems come from authorized users, and most were enabled by security misconfigurations, according to a new survey of Linux developers from Evans Data Corp.

Linux developers said they had few problems with attacks and viruses overall, with 92 percent saying their Linux systems have never been infected with a virus, and 78 percent saying their systems have never been hacked. Less than seven percent claimed to have been hacked three or more times.

Adding more fuel to the Linux vs. Windows fire, a research firm released a survey Wednesday that noted only 8% of Linux developers had ever seen a virus infect their systems.

My friend Robin Miller recently wrote a very decent article about how spoiled we Linux users are, which inspired me to write this article that I've been kind of meaning to write for a while anyway, an article about how the various Linux repositories are and have been such a vast competitive advantage for Linux.

Webmaster's note: Not a Linux story per se, but I can't think of a better reason to switch to Linux, or at least, an open source browser like Mozilla Firebird on Windows

Security researchers warned Web surfers on Thursday to be on guard after uncovering evidence that widespread Web server compromises have turned corporate home pages into points of digital infection.

The researchers believe that online organized crime groups are breaking into Web servers and surreptitiously inserting code that takes advantage of two flaws in Internet Explorer that Microsoft has not yet fixed. Those flaws allow the Web server to install a program that takes control of the user's computer.

The extent of the attacks is unknown, but the security community has seen numerous cases of personal computers infected when the user merely visits a Web site.

Linux suppliers have begun releasing fixes for two critical security bugs in a networking component that could allow a denial-of-service attack or enable an attacker to take control of a system.

The problem is with the Internet Systems Consortium's Dynamic Host Configuration Protocol (DHCP) 3 application, shipped with many Linux and Unix operating system distributions as a tool for transmitting configuration information across a network.

A Linux bug was recently uncovered by a young Norwegian programmer that, when exploited by a simple C program, could crash most Linux 2.4 or 2.6 distributions running on an x86 architecture.

"Using this exploit to crash Linux systems requires the (ab)user to have shell access or other means of uploading and running the program—like cgi-bin and FTP access," reports the discoverer, Øyvind Sæther.

Security researchers have found at least six more flaws in the open-software world's most popular program for maintaining code under development.

According to a representative of the project that oversees the program, known as the Concurrent Versions System, the vulnerabilities include a flaw that could let an attacker take control of a CVS server from the Internet, putting the code repository's contents at risk. The flaws were discovered as part of an analysis of the program's code following the announcement last month of a similar set of issues.

Linux seller Red Hat and chipmaker Intel released prototype Linux software this week to support a security technology designed to curtail the spread of viruses.

The security technology, called NX for "no execute," is built into several "x86" processors from Intel, AMD and Transmeta. The technology is designed to block vulnerabilities that viruses and worms use to spread, but operating system support is required for NX to work.

On Wednesday, Red Hat programmer Ingo Molnar announced a Linux patch for NX support based on a prototype from Intel.

Symantec CEO John Thompson has hit out at "the myth" that Microsoft's operating system is inherently less secure than the open-source alternatives, which he likened to a "dead-end alley". However, he still had few kind words for the software giant.

Thompson believes the reason Microsoft is so often seen as culpable for virus outbreaks and security flaws is simply because it is the biggest target – though he admitted that if "things get too homogenised, it is not a good thing" – especially where security is concerned.

 View older news this year: Aug Jul Jun May Apr Mar Feb Jan
 View news from other years: 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000, 1999
 View older news in category Security this year: Aug Jul May Apr Feb Jan
 View Security news from other years: 2007, 2006, 2005, 2004, 2003