Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and editorialsBuffer overflow protection from kernel patches. Patches for the Linux kernel exist, like Solar Designer's non-executable stack patch, which disallow the execution code on the stack, making a number of buffer overflow attacks harder - and defeating completely a number of current exploits used by "script kiddies" worldwide. However, such patches have not been pulled into the main Linux kernel. Why not? Linus has resisted these patches for a couple of reasons. One is that there are occasional uses for executable code on the stack; life gets a bit harder if you turn that off. But Linus's main point has always been that a non-executable stack is a band-aid solution which does not fix the real problem - poorly written applications. The real solution is to eliminate buffer overflows from user space code; these overflows can be exploited, after all, without an executable stack (though it is harder). See, for example, this note from Linus from back in August, 1998. The point Linus makes is valid. Meanwhile, however, the script kiddies are giving grief to a number of sites that could be prevented by this fix. In the end, security is not absolute, and every obstacle placed in the way can only help. But don't expect a non-executable stack from the mainstream kernel anytime soon; those interested in high security will need to look at the Solar Designer patches or a distribution like Immunix instead. Lessons from the quake cheat. Eric Raymond sent us an article about the "Quake cheat" - people modifying the (now open-source) Quake client to gain an advantage in the game. Eric's point is that, had Quake been developed as an open-source application since the beginning, these problems would not have arisen, since different design decisions would have been made. Worth a read. As another case to look at, consider Netrek, which has dealt with this problem for a long time. Netrek, in the end, has gone with a "blessed binaries" scheme; the code is in the open, but only specially built binaries (containing a proper cryptographic key) can be used with most servers. How SSH was freed. Daemonnews has put out a nice article describing the development of OpenSSH, titled "How SSH was freed". It gives some nice background on the developers that did the work and even includes some pictures. Of course, some people might disagree that the following constitutes "freeing" the code: "As detailed in the OpenSSH history page, much of the early work involved removing GPL'd or non-portable code." Security ReportsQuake Smurf. An exploit has been posted that allows a hacker to kick a player off a Quake server.glFtpdD vulnerabilities. Multiple vulnerabilities have been reported in the glFtpdD FTP Daemon. A fix for the problem has been made available and will be included in the next release. Traffic shaper. Yuri Kuzmenko pointed out that the Linux traffic shaper allows non-root accounts to reset the speed of the shaper. Alan Cox acknowledged the problem and indicated that it has been fixed in the pre-patch series for the Linux 2.2.14 kernel (which should hopefully be released in the near future). msql cgi script. The w3-msql cgi script distributed with msql contains exploitable buffer overflows that can allow arbitrary code to be executed under the httpd uid, according to this advisory. An exploit for Solaris has been released. If you are not using the script, removal of it from your system is probably a good idea. No vendor comment or fix has been reported. ResourcesDenial of Service Tools. The latest CERT Advisory addresses new techniques for implementing Denial-of-Services attacks that are becoming more frequently used. This is not the type of problem that an easy patch or update will fix, so they can only provide suggestions, such as:
EventsRAID 2000. The Call-For-Papers for the Third International Workshop on the Recent Advances in Intrusion Detection (RAID) has been released. Papers are due by March 30th, 2000 and the conference itself will be held October 2nd through the 4th in Toulouse, France.Section Editor: Liz Coolbaugh |
December 30, 1999
|