Device drivers filled with flaws, threaten security, May 27, 2005

The uneven skills of driver programmers have left a legion of holes in software that ships with Windows and Linux, security experts say.

Companies face greater risks if they run their Web sites on Linux rather than Windows, a Microsoft-funded study has concluded.

A flaw in the popular open source mailing list management application Mailman has led to the theft of the passwords of the users of a well-known security discussion group

A source-code analysis of the MySQL database, a popular open-source program at the heart of many Web sites, revealed few bugs compared with the number found in commercial code, testing company Coverity said Friday.

Developers of the Linux kernel created a security mailing list this week to air future vulnerability information regarding the open-source operating system's core code.

Unix-like systems, such as Linux and BSD, run server software, including the MySQL database, as a separate user, shielding many critical system functions from exploitation by such a worm.

Unpatched Linux systems are surviving longer on the Internet before being compromised, according to a report from the Honeynet Project released this week.

The Linux operating system has many times fewer bugs than typical commercial software, according to an upcoming report.

A graphics-handling based security flaw has been exposed in GNOME desktop environment, which could allow machines to be compromised if security experts are to be believed

A flaw in Sun Microsystems's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs.

The Samba Team released on Tuesday a patch to fix two flaws that could result in disruptions for networks using the widely installed Unix and Linux software.

The two relatively minor flaws could crash or make unresponsive systems running version 3 of Samba, an open-source software package that allows Windows files and printers to be shared by Unix and Linux systems.

The Apache Foundation, an open-source development group, on Thursday pulled its support of the proposed antispam standard Sender ID, saying Microsoft's license requirements are too strict.

The move by the group responsible for the popular Apache Web server comes as other open-source developers also voiced reservations about Microsoft's attempts to apply stringent license requirements to its contribution to the spam-fighting technology.

"We believe that the current license is generally incompatible with open source, contrary to the practice of open Internet standards, and specifically incompatible with Apache License 2.0," the group wrote Thursday in its letter to the technical committee working on the technology.

Sendmail has taken a first stab at software to authenticate the source of e-mail messages, a technology that will be key to preventing the proliferation of spam.

The company released a module for its Sendmail e-mail server software that attempts to verify the source of messages to help Internet users block mail from unwanted senders. The technique is part of a developing Internet standard known as Sender ID.

The Governator may terminate California's reliance on proprietary software and traditional telephone systems, if a recently published state report is heeded.

A body of independent auditors and experts recommended last week that the state consider open-source software and voice over Internet Protocol telephony as two measures to cut costs. The suggested measures are a small part of the voluminous California Performance Review, released Aug. 2.

"If all of these recommendations are implemented, they have the potential to save more than $32 billion over the next five years," the directors of the group of appointees told California Gov. Arnold Schwarzenegger in an letter introducing the report.

Six vulnerabilities in an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X.

The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image.

Webmaster's note: Not a Linux story per se, but I can't think of a better reason to switch to Linux, or at least, an open source browser like Mozilla Firebird on Windows

Security researchers warned Web surfers on Thursday to be on guard after uncovering evidence that widespread Web server compromises have turned corporate home pages into points of digital infection.

The researchers believe that online organized crime groups are breaking into Web servers and surreptitiously inserting code that takes advantage of two flaws in Internet Explorer that Microsoft has not yet fixed. Those flaws allow the Web server to install a program that takes control of the user's computer.

The extent of the attacks is unknown, but the security community has seen numerous cases of personal computers infected when the user merely visits a Web site.

Security researchers have found at least six more flaws in the open-software world's most popular program for maintaining code under development.

According to a representative of the project that oversees the program, known as the Concurrent Versions System, the vulnerabilities include a flaw that could let an attacker take control of a CVS server from the Internet, putting the code repository's contents at risk. The flaws were discovered as part of an analysis of the program's code following the announcement last month of a similar set of issues.

The Debian Project warned on Monday that a flaw in the Linux kernel helped attackers compromise four of the open-source software project's development servers.

IBM is teaming up with the government of Brazil to develop the country's expertise in open-source software such as Linux, the technology giant announced Friday.

Big Blue signed a letter of intent with the South American country, stating a shared vision of developing technology that's based on open-source software and open standards, according to a statement released by IBM.

Dismissing pundits who have disparaged new technologies, Red Hat CEO Matthew Szulik had a simple message for LinuxWorld attendees: We will prevail.