Security
Big Ideas for saving the Internet
CIO magazine has run an article called How To Save The Internet. The core idea is that the Internet threatens to collapse under the load of spam, spyware, worms, etc., and that some sort of Big Ideas must be found to save the situation. A few of the suggested ideas merit a look...The first is "hire a czar." The idea would seem to be that the appointment of a high-level (U.S.) "cybersecurity" official would do something to make our systems more secure. It looks mostly like a bully-pulpit role:
Aside from the idea of how hardware and software would be "certified secure," one could imagine that people in the free software community could have a lot of fun creating warning labels.
Another suggestion is giving vendors incentives to create more secure software. Essentially, it is the return of the product liability idea. This approach may still offer some promise, but it is hard to see how to make it fit with the "no warranties" nature of free software.
Two related items are well described by the title applied to the first: "Treat End Users Like the Dummies They Are." The suggestion to have ISPs provide more filtering, detection, and response services to those who are willing to pay for them is fine. The other one, however, is more problematic:
The idea of "traceable code" would appear to pose some technical challenges of its own. But the idea that you could "save the Internet" by restricting access to programmable devices is truly frightening. There are a few of us out there who see the net as a bit more than a clothing-optional shopping mall. We would not react well to the idea that we would have to be licensed before getting a machine we could hack on.
There is an idea for the creation of reputation servers as an antidote to
phishing problem (though, of course, it has to be expressed as "using
XML and meta-data to tag websites with safety, reputation, past performance
and other security ratings
"). Something like that may yet be part
of a solution to certain classes of problems. More likely, however, is
that it would just become another variant of the (nearly useless) SSL
certificate mechanism.
Almost as an afterthought, the article presents a couple of relevant Big Ideas: make a bigger effort to write error-free software, and think carefully about what features any given program should have. Maybe an email client really should not be able to execute code received in messages. One wonders why nobody ever thought of that before.
See the article for the full list of "Big Ideas." For the most part, this article can be dismissed as just another silly journalistic exercise. But the truth of the matter is that people are actually likely to try some of these ideas. Look for a "Code Traceability and Programmer Licensing" initiative in a legislature near you sometime soon.
New vulnerabilities
Ethereal: Multiple vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2005-0699 CAN-2005-0704 CAN-2005-0705 | ||||||||||||||||||||||||
| Created: | March 14, 2005 | Updated: | March 28, 2005 | ||||||||||||||||||||||||
| Description: | There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.10, including: The Etheric and 3GPP2 A11 dissectors are vulnerable to buffer overflows (CAN-2005-0704 and CAN-2005-0699), the GPRS-LLC could crash when the "ignore cipher bit" option is enabled (CAN-2005-0705) and various vulnerabilities in the IAPP, JXTA, and sFlow dissectors. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gnupg: information leak
| Package(s): | gnupg | CVE #(s): | CAN-2005-0366 | ||||||||||||
| Created: | March 16, 2005 | Updated: | August 19, 2005 | ||||||||||||
| Description: | GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see." | ||||||||||||||
| Alerts: |
| ||||||||||||||
grip: buffer overflow
| Package(s): | grip | CVE #(s): | CAN-2005-0706 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 10, 2005 | Updated: | November 19, 2008 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
IPsec-Tools: denial of service
| Package(s): | ipsec-tools setkey racoon | CVE #(s): | CAN-2005-0398 | ||||||||||||||||||||||||||||
| Created: | March 14, 2005 | Updated: | April 5, 2005 | ||||||||||||||||||||||||||||
| Description: | The IPsec-Tools package is used to build other programs such as setkey and racoon. There is a potential denial of service vulnerability when parsing ISAKMP headers in racoon. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
luxman: buffer overflow
| Package(s): | luxman | CVE #(s): | CAN-2005-0385 | ||||
| Created: | March 14, 2005 | Updated: | March 16, 2005 | ||||
| Description: | Kevin Finisterre discovered a buffer overflow in luxman, an SVGA based PacMan clone, that could lead to the execution of arbitrary commands as root. | ||||||
| Alerts: |
| ||||||
MySQL: input validation and temporary file vulnerabilities
| Package(s): | mysql | CVE #(s): | CAN-2005-0709 CAN-2005-0710 CAN-2005-0711 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 16, 2005 | Updated: | July 19, 2005 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | MySQL (prior to version 4.0.24) suffers from two input validation errors and a temporary file vulnerability. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
openslp: buffer overflows
| Package(s): | openslp | CVE #(s): | |||||||||||||||||
| Created: | March 14, 2005 | Updated: | March 21, 2005 | ||||||||||||||||
| Description: | The SUSE Security Team reviewed critical parts of the OpenSLP package, an open source implementation of the Service Location Protocol (SLP). During the audit, various buffer overflows and out of bounds memory access have been fixed which can be triggered by remote attackers by sending malformed SLP packets. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Ringtone Tools: buffer overflow
| Package(s): | ringtonetools | CVE #(s): | |||||
| Created: | March 15, 2005 | Updated: | March 16, 2005 | ||||
| Description: | Qiao Zhang has discovered a buffer overflow vulnerability in the 'parse_emelody' function in 'parse_emelody.c'. A remote attacker could entice a Ringtone Tools user to open a specially crafted eMelody file, which would potentially lead to the execution of arbitrary code with the rights of the user running the application. | ||||||
| Alerts: |
| ||||||
sylpheed: buffer overflow
| Package(s): | sylpheed | CVE #(s): | CAN-2005-0667 | ||||||||||||||||||||
| Created: | March 15, 2005 | Updated: | April 15, 2005 | ||||||||||||||||||||
| Description: | Buffer overflow in Sylpheed before 1.0.3 and other versions before 1.9.5 allows remote attackers to execute arbitrary code via an e-mail message with certain headers containing non-ASCII characters that are not properly handled when the user replies to the message. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Resources
March CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for March is out. Topics include the breaking of SHA-1, two-factor authentication, ChoicePoint, and Microsoft's "Ghostbuster" rootkit hunter. "This is too good an idea to abandon. Microsoft, if you're listening, you should release this tool to the world. Make it public domain. Make it open source, even. It's a great idea, and you deserve credit for coming up with it."
Events
Security Masters Dojo
The CanSecWest Security Masters Dojo is happening May 3 and 4 in Vancouver, BC, Canada. It is described as "Advanced and intermediate security training and technology enhancement for information security professionals." Click below for the course details.
Page editor: Jonathan Corbet
Next page:
Kernel development>>