See also: last week's Security page.

Security

News and Editorials

McAfee patent for Internet based security services. The war of silly patents continues, this time invading the realm of security. McAfee has received a patent that covers securing, managing or optimizing a personal computer, a fairly broad sounding description with far reaching implications if it can actually hold up to challenges. The patent does, in fact, seem to cover any sort of automated system upgrade facilities such as those found in Ximian's Red Carpet or the Red Hat Network.

The summary of the patent includes the following blurb:

The user directs the Internet browser to a Internet clinical services provider web site computer and logs in to the site using an identifier and a secure password and optionally makes a selection of the type of servicing desired, wherein an automatically-executing software package encapsulated within a markup language communication unit deliverable across the Internet is delivered, to the user computer, the automatically-executing software package being adapted to perform security, management, or optimization functions on the user computer.

As might be expected, The Register took issue with this patent. ZDNet offered comments from both partners and competitors of McAfee, including one rather arrogant quote from the patent holder. "In an interview with the Associated Press, a McAfee representative indicated that any company that is seen as 'willfully flaunting the technology' may face legal action."

While the patent may be another shot in the ongoing feud between long time rivals McAfee and Symantec, the impact of the patent could affect how personal computers are maintained in the future. The future of remote service provision, including such environments as .NET, may be at stake. Fortunately, while prior art may be the saving grace once again, one detailed step of the patent may prove even more open ended:

[The] transmitting [of] an electronic message in an e-mail format from the server computer to the remotely located computer indicating that a new product or a new application is available for download.

Neither Ximian nor Red Hat nor even Debian requires sending of email messages for notification of new software. Even further, the patent explicity calls for the payment of services which means at a minimum Debian should be in the clear. And finally, the really silly part here, the patent explicitly calls for the use of a "web browser," a term which leaves open the interpretation of methods for accessing any service on the Internet.

So while McAfee has its shiny new patent, its footing remains unstable. Automated security updates instigated by the user using standard web protocols may still be protected. We just have to wait for challenges to begin.

Flaws found in key wireless protocol (ZDNet). Two researchers in Israel, including one of the original RSA designers - Adi Shamir, and another from Cisco have found a serious flaw in the cipher used to protect messages on 802.11 wireless lans. The flaw, reported in a ZDNet article, can expose the key in less than 15 minutes. What's worse, the problem doesn't get more complex with longer keys.

By default, WEP uses a static 40-bit key, and although that is often augmented in WLAN implementations, experts say the attack would work nearly as quickly on longer keys because the complexity of the attack grows linearly instead of exponentially in relation to the key length.

In a separate incident reported in the same article, researchers at AT&T used an inexpensive wireless card and a Linux system to break the same cipher in WEP. Things are looking bleak for secure wireless networking right now.

Code Redder. SecurityFocus posted a warning that a new version of Code Red was on the loose this week. This version, which gained access just as the original, was noted to be leaving backdoors in systems.

Sklyarov updates. News of Dmitry Sklyarov's release on bail was covered on the Front Page this week. The news kept many news sources busy and, in the interest of complete coverage, we'll summarize what we've seen.

• Russian programmer Sklyarov freed on $50,000 bail (SiliconValley.com)  SiliconValley.com appeared to be the first to carry the news that Dmitry Sklyarov has been released on $50,000 bail.

• Sklyarov: A Huge Sigh of Release (Wired)  Here's a Wired News article on the release of Dmitry Sklyarov. "Paradoxically, however, if the case against Sklyarov is dropped, the chances for a constitutional challenge to the DMCA could perhaps be hampered, some observers said. Sklyarov is thought to be the first criminal defendant charged under the law, and many who oppose it see his plight as a kind of Kafkaesque example of why the law needs to be changed."

• Free Dmitry! (Salon)  Salon has come up with new ways of applying pressure to get Dmitry Sklyarov out of jail. "2) Threaten to unleash a virus even more successful than Sircam, and with a payload so devastating as to threaten civilization itself: The 'Free Dmitry' virus will force any infected computer to play an unending loop of Richard Stallman's rendition of the 'Free Software Song.'"

• Dimitry Sklyarov: Enemy or friend? (ZDNet)  Bruce Perens writes about Dmitry Sklyarov on ZDNet. "While publishers fret over the potential of illegal copies of their books, Sklyarov's presentation reveals that they could be ripped off in an unexpected way: by producers of astonishingly inept cryptography software. Sklyarov is in jail for revealing that secret."

Security Reports

Caldera update for Tomcat. Caldera issued a security advisory for Jakarta/Tomcat in their OpenLinux Server 3.1 distributions this week. The updates doesn't appear to address vulnerabilities reported on external security lists but rather closes an internally reported problem.

Zope security alert. A new Zope security alert has come out. There is, apparently, a problem in the permission checking code that would allow a suitably clueful attacker to access objects which should not be accessible. Zope versions 2.3.3 and the 2.4.0 alpha and beta releases are all vulnerable. A fix is available from Zope Corp; we have not yet seen any vendor updates.

SuSE advisory for xmcd. SuSE has posted a security advisory targeting xmcd, the GUI-based CD player system. The problem stems from a lower level command line utility called Cda, which xmcd calls, having buffer overflow problems.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

• Adobe PDF files were reported as being vulnerable to carrying a computer virus. However, according to one virus writer and a follow-up posting, the trick still requires PDF readers to actually open the embedded objects. The standard Acrobat reader doesn't do that. Interestingly, one post to the BugTraq list asked if virus scanners have to reach into PDF files now, what do they do if the PDF file is encrypted?

• Macromedia began warning users of ColdFusion Server that example applications left on ColdFusion servers can open those servers to attacks. The advisory posted from ISS listed multiple platforms as being vulnerable.

Updates

Squid httpd acceleration ACL vulnerability. Check the July 26th Security Summary for details. Squid 2.3STABLE4 is affected; earlier versions are not. Red Hat 7.0 is reported to be vulnerable, while earlier and later versions are not. Debian is reported not vulnerable. A patch to fix the problem is available.

This week's updates:

• Caldera

Previous updates:

• Linux-Mandrake
• Immunix
• Trustix
• Red Hat

Vulnerability in telnetd. Check the July 26th Security Summary for details. This problem is actively being exploited on BSD systems.

This week's updates:

• Caldera (official advisory)

Resources

A Net Unprotected (ZDNet). ZDNet talks to a few experts who fear the worst is yet to come when dealing with polymorphic worms like Code Red. "A polymorphic buffer overflow morphs part of its code every time it propagates. So any system designed to stop it can never identify it, yet the initial buffer overflow attack code remains intact."

Events

Upcoming Security Events.

Date	Event	Location
August 9 - 10, 2001	CERT Conference 2001	Omaha, NE, USA.
August 10 - 12, 2001	Hackers at Large 2001(HAL2001)	Enschede, Netherlands
August 13 - 17, 2001	10th USENIX Security Symposium 2001 Conference	Washington, D.C.
September 11 - 13, 2001	New Security Paradigms Workshop 2001(NSPW)	Cloudcroft, New Mexico, USA
September 28 - 30, 2001	Canadian Association for Security and Intelligence Studies(CASIS 2001)	(Dalhousie University)Halifax, Nova Scotia, Canada.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Michael Hammel

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel