Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and EditorialsLessons from the Microsoft network intrusion. By far the most notorious of security news this past week was the admission by Microsoft that their internal network had been compromised, the FBI called in to investigate and the source code to Microsoft Windows and/or other Microsoft products possibly accessed by the intruders. Below, we've listed a compendium of sites that have coverage on the issue, so feel free to glut yourself. Most of the coverage has looked either at the mystery of who the intruders were, what their intent was, or the possible repercussion. For better or worse, though, these are all speculation; real answers will come later or possibly not at all. We'd like to focus, instead, on the lessons to be learned from this intrusion. First and foremost, the clearest message we see is that "all bugs deserve to be fixed". We cannot resist pointing out this old, and infamous, interview with Bill Gates in which he states, "There are no significant bugs in our released software that any significant number of users want fixed". The largest "bug", in this case, has been the vulnerability of the various Microsoft operating systems to viruses and the unintended execution of suspect binaries. Rather than fix this fundamental flaw, Microsoft allowed and encouraged an entire industry built on "protecting people" from its impact. Unfortunately, the ease in which new viruses can be developed, or mutated from previous viruses, plus the reality of the amount of personnel resources needed to keep virus databases up-to-date and computers secured, makes a joke of the ostensible purpose of this industry. The real purpose of the virus-protection software industry is to make money and they were given a wonderful business model for it -- a never-ending supply of new viruses, guaranteeing that people would have to pay money, again and again, in order to "get the latest protection". People didn't end up truly secure, just poorer. In the end, it is poetic justice that Microsoft itself should suffer for its choice. What user cares about having this bug fixed? In this case, Microsoft is one user that must wish this bug had been fixed. They are far from the only one. Another lesson from this intrusion is the fallibility of the closed source security model. Time and time again, security experts in the Open Source community have warned that security which has not been exposed or scrutinized cannot be counted on. Now with the possibility that the Microsoft operating system code has been exposed, and exposed to people with a track record for exploiting security vulnerabilities, we're about to get a graphic lesson on the topic. Given the wide-spread use of Microsoft products, what country, what company, is not currently wondering what impact this will have on them. Many people believe there are back-doors in Microsoft products -- if there are and the source code has truly been exposed, they will be exploited. If I were a foreign government, I would be strongly tempted to make an international incident of this intrusion, demanding immediate disclosure of the source code, so that everyone at least has an equal chance of finding security vulnerabilities and protecting themselves against them. In the end, the final lesson: while access to the source code can't protect you from security problems, it is an essential first step towards security. You can't protect yourself without it. Press Coverage:
Princeton Team Cracks SDMI (Web Developer). The Secure Internet Programming team at Princeton chose to pick up the SDMI Challenge. As a result, they announced this week their defeat of the SDMI watermark technology, a critical part of SDMI's boasted security. The Princeton team explained their decision to participate in the challenge in their FAQ, which is well worth a perusal. Here is one quote: "Still, wouldn't it have been better for opponents of SDMI if you let SDMI go ahead and deploy a flawed technology, so music lovers could teach them a lesson by copying music despite the technology?They go on to discuss the implications of the Digital Millennium Copyright Act (DMCA), which they felt would have made research into the SDMI Security outside the announced contest potentially illegal, and the glaring faults of the contest itself, which did not give contestants access to the software equal to that which a consumer will have if the software is deployed. Princeton waived the potential reward in return for free disclosure of what they found. We can only hope that their work helps bridge the knowledge gap with proponents of SDMI. Zero Knowledge marks Freedom milestone (Upside). Mike Shaver, Zero Knowledge's Chief Software Officer and well known Mozilla veteran, wanted to put an open source spin on the company's products. With the release of Freedom 2.0, they've made it official. "Freedom 2.0 is a software tool that lets users encrypt Internet communications and route those encrypted messages through a collection of independent servers which, in turn, add their own layers of encryption. Users who run the client on their desktop machines can use it to manage a collection of pseudonymous identities." Tripwire Open Source, Linux Edition Now Available. Tripwire, Inc. has released Tripwire Open Source Linux Edition, a project being hosted on Sourceforge. Interview with AES Winner (LinuxSecurity.com). Vincent Rijmen, co-author of the AES winning algorithm known as Rijndael, is interviewed by LinuxSecurity.com for his thoughts on the development of the Rijndael algorithm, its selection as the NIST algorithm of choice for AES, thoughts on Linux and security, and the future of Internet security. "Vincent Rijmen: ... I think there is an important challenge in making the distinction between complexity and security. Some people still believe that added complexity increases automatically security. This belief should be erased. We should keep on working towards secure and simple systems, that are as easy to understand for the people as a door lock, a sealed envelope, etc." Security ReportsSamba 2.0.7 SWAT vulnerabilities. Multiple vulnerabilities in SWAT, the Samba Web Administration Tool, were reported this past week. They can be used to bruteforce username and passwords and, if logging is enabled, a race condition can be exploited locally to gain root access. Last, a denial-of-service attack can also be implemented. No fixes for this have been posted as of yet. Disabling SWAT, or restricting access to the service, is recommended.nss_ldap race condition. Red Hat has reported a race condition in nss_ldap, a set of C library extensions which enable the use of X.500 and LDAP directory servers. Updated packages are provided. This problem will affect any Linux system using the nss_ldap package. No update from PADL Software, the official maintainer of nss_ldap, has been seen yet.pam_mysql trusted input vulnerability. Pam_mysql, a pluggable authentication module used to authenticate users against a mysql database, uses the user-provided username and password to construct SQL statements. This can be exploited both locally and remotely to gain access to plaintext passwords/hashes or, with pam_mysql > 0.4, to gain an unauthorized login. Check the original advisory for additional details.An upgrade to pam_mysql 0.4.7 will fix the problem. bftpd buffer overflow. An exploitable buffer overflow was reported in bftpd 1.0.11. bftpd 1.0.12 has been released with a fix for this problem.Multiple buffer overflows in tcpdump. FreeBSD discovered multiple buffer overflows in tcpdump 3.5 during an internal audit. They have released a patch to fix the problems.Format string vulnerability in FreeBSD chpass utilities. FreeBSD reported a format string vulnerability which impacts multiple commands, including chfn, chpass, chsh, ypchfn, ypchpass, ypchsh, and passwd. Local root access can be obtained. They have released patches for the problem. Note that other BSD variants are likely affected; we do not know whether or not this code is shared with Linux.dump-0.4b15 local root access. An input-trust vulnerability in dump-0.4b15 allows dump's environment variables to be used to gain local root access, according to this report on BugTraq. No patch for this has been released as of yet.Red Hat cyrus-sasl advisory. Red Hat has released a security advisory for the cyrus-sasl packages shipped with Red Hat 7. Due to a bug, users who had been successfully authenticated were allowed to access resources that should have been blocked from them. Versions of cyrus-sasl shipped with earlier Red Hat Power Tools packages do not have the reported problem.host 8.21 exploitable buffer overflow. An exploitable buffer overflow was apparently found and fixed in the host command some months ago, without announcement. host 8.21 has been verified as exploitable. No information on what version of host contains the fix for this is yet available.lpr group permissions elevation. An IRC chat session reported vulnerabilities in lpr-0.50-4 and earlier which can be exploited locally to gain elevated permissions. In combination with a wu-ftpd install, it can be used to gain root. Note that newer versions of lpr are widely available, but you may want to check the version you are using.Commercial products. There appears to have been a minor conspiracy to release advisories regarding security flaws in commercial products this week. The following commercial products were reported to contain vulnerabilities
UpdatesConectiva update to XFree86 vulnerabilities. Andreas Hasenack of Conectiva sent in this update regarding our report on XFree86 vulnerabilities last week:Regarding your story on XFree86 vulnerabilities, we have released an update for one of the vulnerabilities (in Portuguese)[bugtraq #1235) for the CL 5.0 distro (others, where applicable, were also updated). That update was done at a time when we were not sending update notices to lwn.net nor bugtraq, but only to our own local lists (in pt_BR). The other XFree86 issues are being investigated and will be addressed soon.
Apache mod_rewrite vulnerabilty. Files outside of the document root can be accessed, if the mod_rewrite module for Apache is in use. For more details, check the October 5th LWN Security Summary.This week's updates: Previous updates:
Pine buffer overflow vulnerability. An exploitable buffer overflow in Pine was reported to BugTraq in early October. The problem involves Pine's handling of incoming mail during an open session. Check the October 5th LWN Security Summary for the initial report. Note that the FreeBSD update below is the first one we've seen for this problem.Also announced this week was pine 4.30, which, judging by the Changes, fixes this problem. This week's updates: ncurses buffer overflow. Check the October 12th LWN Security Summary for the initial report of this problem. Updates for this vulnerability continue to trickle in more slowly than usual.This week's updates: Previous updates:
Boa webserver directory transveral vulnerability. Check the October 12th LWN Security Summary for more details. Boa 0.94.8.3 fixes this problem.This week's updates: Previous updates:
NIS/ypbind format string vulnerability. A format string vulnerability in NIS/ypbind can be remotely exploited to run arbitrary code as root. An immediate upgrade is recommended. For more information, check the October 19th LWN Security Summary.This week's updates: Previous updates:
GnuPG false signature verification. GnuPG fails to correctly validate multiple signatures in a file. Check the October 19th Security Summary for details. GnuPG 1.0.4 has been released and contains the fix for this problem. Anyone using GnuPG will want to upgrade their package as soon as possible.This week's updates: Previous updates:
Buffer overflows in ping. Multiple buffer overflows in Alexey Kuznetsov's ping were discussed October 19th.This week's updates: Previous updates:GNU CFEngine format string vulnerability. Root access can be obtained on a local system by exploiting CFEngine's use of syslog and its related format string vulnerability. Check the October 5th LWN Security Summary for more details.This week's updates: Previous updates:
EventsUpcoming security events.
Section Editor: Liz Coolbaugh |
November 2, 2000
LWN Resources | |||||||||||||||||||||||||||||||||||||||||||||