Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsMcAfee patent for Internet based security services. The war of silly patents continues, this time invading the realm of security. McAfee has received a patent that covers securing, managing or optimizing a personal computer, a fairly broad sounding description with far reaching implications if it can actually hold up to challenges. The patent does, in fact, seem to cover any sort of automated system upgrade facilities such as those found in Ximian's Red Carpet or the Red Hat Network. The summary of the patent includes the following blurb: The user directs the Internet browser to a Internet clinical services provider web site computer and logs in to the site using an identifier and a secure password and optionally makes a selection of the type of servicing desired, wherein an automatically-executing software package encapsulated within a markup language communication unit deliverable across the Internet is delivered, to the user computer, the automatically-executing software package being adapted to perform security, management, or optimization functions on the user computer.
As might be expected, The Register took issue with this patent. ZDNet offered comments from both partners and competitors of McAfee, including one rather arrogant quote from the patent holder. "In an interview with the Associated Press, a McAfee representative indicated that any company that is seen as 'willfully flaunting the technology' may face legal action." While the patent may be another shot in the ongoing feud between long time rivals McAfee and Symantec, the impact of the patent could affect how personal computers are maintained in the future. The future of remote service provision, including such environments as .NET, may be at stake. Fortunately, while prior art may be the saving grace once again, one detailed step of the patent may prove even more open ended: [The] transmitting [of] an electronic message in an e-mail format from the server computer to the remotely located computer indicating that a new product or a new application is available for download. Neither Ximian nor Red Hat nor even Debian requires sending of email messages for notification of new software. Even further, the patent explicity calls for the payment of services which means at a minimum Debian should be in the clear. And finally, the really silly part here, the patent explicitly calls for the use of a "web browser," a term which leaves open the interpretation of methods for accessing any service on the Internet. So while McAfee has its shiny new patent, its footing remains unstable. Automated security updates instigated by the user using standard web protocols may still be protected. We just have to wait for challenges to begin. Flaws found in key wireless protocol (ZDNet). Two researchers in Israel, including one of the original RSA designers - Adi Shamir, and another from Cisco have found a serious flaw in the cipher used to protect messages on 802.11 wireless lans. The flaw, reported in a ZDNet article, can expose the key in less than 15 minutes. What's worse, the problem doesn't get more complex with longer keys. By default, WEP uses a static 40-bit key, and although that is often augmented in WLAN implementations, experts say the attack would work nearly as quickly on longer keys because the complexity of the attack grows linearly instead of exponentially in relation to the key length. In a separate incident reported in the same article, researchers at AT&T used an inexpensive wireless card and a Linux system to break the same cipher in WEP. Things are looking bleak for secure wireless networking right now. Code Redder. SecurityFocus posted a warning that a new version of Code Red was on the loose this week. This version, which gained access just as the original, was noted to be leaving backdoors in systems. Sklyarov updates. News of Dmitry Sklyarov's release on bail was covered on the Front Page this week. The news kept many news sources busy and, in the interest of complete coverage, we'll summarize what we've seen.
Security ReportsCaldera update for Tomcat. Caldera issued a security advisory for Jakarta/Tomcat in their OpenLinux Server 3.1 distributions this week. The updates doesn't appear to address vulnerabilities reported on external security lists but rather closes an internally reported problem. Zope security alert. A new Zope security alert has come out. There is, apparently, a problem in the permission checking code that would allow a suitably clueful attacker to access objects which should not be accessible. Zope versions 2.3.3 and the 2.4.0 alpha and beta releases are all vulnerable. A fix is available from Zope Corp; we have not yet seen any vendor updates. SuSE advisory for xmcd. SuSE has posted a security advisory targeting xmcd, the GUI-based CD player system. The problem stems from a lower level command line utility called Cda, which xmcd calls, having buffer overflow problems. Proprietary products. The following proprietary products were reported to contain vulnerabilities:
UpdatesSquid httpd acceleration ACL vulnerability. Check the July 26th Security Summary for details. Squid 2.3STABLE4 is affected; earlier versions are not. Red Hat 7.0 is reported to be vulnerable, while earlier and later versions are not. Debian is reported not vulnerable. A patch to fix the problem is available.
This week's updates: Previous updates: Vulnerability in telnetd. Check the July 26th Security Summary for details. This problem is actively being exploited on BSD systems.
This week's updates:
ResourcesA Net Unprotected (ZDNet). ZDNet talks to a few experts who fear the worst is yet to come when dealing with polymorphic worms like Code Red. "A polymorphic buffer overflow morphs part of its code every time it propagates. So any system designed to stop it can never identify it, yet the initial buffer overflow attack code remains intact." EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Michael Hammel |
August 9, 2001
LWN Resources | ||||||||||||||||||