User: Password:
|
|
Subscribe / Log in / New account

Security

Forcing updates

By Jake Edge
February 11, 2009

A recent thread on the desktop-architects mailing list touched on a subject that tends to generate strong feelings: automatic, silent updates for security issues. At first blush, it is an attractive idea that might help slow down or stop a fast-moving virus or other malware. It also would help protect users who might otherwise ignore or delay updating their system. On the other hand, there are lots of concerns about whose decision it is to have a "mandatory" update, what else might be contained in such an update, as well as how to ensure that the update doesn't break the user's machine.

Dan Kegel kicks off the discussion by asking:

Given how much malware is out there, shouldn't security fixes for remotely exploitable flaws be installed a bit more forcefully? e.g. instead of an ignorable notification, how about an in-your-face dialog saying they're going to be installed now? Or in some cases even just silently installing them?

This goes not just for distros; any ISVs is on the hook for rapid security updates these days, I would think.

While there are attractions, one of the immediate downsides was noted by KDE hacker Aaron Seigo: "distro Q/A resources would have to _significantly_ increase for this to work reliably. too many updates still break too many systems on too regular a basis." The first time a silently applied "fix" breaks someone's system, there will be a serious outcry. Microsoft and others have broken people's systems before with security updates, but that doesn't seem a good example to follow.

But, even with additional QA, there are plenty of reasons that a user might not want to get an update. GNOME foundation member Dave Neary presents several scenarios:

I for one would be a little paranoid about not being able to control installs of updates. I can imagine all kinds of scenarios where it would be undesirable: a 20M security fix starts downloading when I'm connected via GPRS at a conference, or over a 56K phone line; a kernel update downloads & requires a reboot; an application I am using and Absolutely Positively Must Keep Using for a few minutes upgrades, and isn't runtime-compatible with the update [...]

A kernel reboot or even application restart are definitely problem areas. There are many reasons a user might need to continue using a buggy application or kernel, even if the bug exposes them to an exploit. Some users have enough information to make that kind of determination, but others most definitely do not. How does the distribution or software package determine that? Presumably there will have to be settings to govern the behavior, which then begs the question: what is the default setting?

An additional problem is that users are training themselves—or the desktops and distributions are training them—to ignore pop-ups of various sorts. So suggestions like the one made by Ritesh Raj Sarraf: "For updates with priority 'security', I think it should just pop-up more often" are met with skepticism. Kegel opines:

People ignore dialogs like that. IMHO if we're going to avoid botnet nightmares, we're going to need at least some silent security updates.

That provoked a rather boisterous response from Linus Torvalds. His argument is that you can't trust the developers of various projects to determine what fixes should be applied. He is concerned that projects might want to slip other things into a "security" release:

Yes, they may "technically" be the people with the most information, but they are also the ones furthest removed from actual users - by definition. And they are also the ones that are most emotionally (and often financially) tied to things like "newest version".

His point is that he, and by extension other sophisticated users, are never going to turn over their systems to the whims of outsiders. He is willing to let distributions or even some software packages make that kind of decision, but only if things are not done silently. "There are programs that I trust to do their auto-updates, and I'm perfectly happy having firefox check for extensions automatically, for example. But even in the case of firefox, I want to _know_ when it does so."

Any kind of automated, silent upgrade feature from either a particular package or a distribution would be an enormous target for those with a malicious intent. It would be a kind of dream exploit to be able to inject malware into millions of unsuspecting systems—silent and unnoticed. A break-in to a distribution server might lead to an incredible malware outbreak, though the same thing could be accomplished today; it would just take more time.

But, the problem remains that there are lots of systems that are not getting updated and are thus vulnerable to a wide variety of exploits. As part of its Collaboration Summit, the Linux Foundation would like to have a meeting to discuss the issue. It is certainly an area where more thought is needed.

Comments (34 posted)

Brief items

Rooting your own phone: android security

Kernel hacker Pavel Machek is looking for kernel security holes, but perhaps not for the reason one would expect. He wants to exploit such a flaw to gain root on his Android G1 phone. He has already tried a few exploits that affect the 2.6.25 kernel, but none successfully to get root. He is looking for help from folks who may know of additional flaws to try. In his message, linked below, he also notes several security relevant issues with Android.

Full Story (comments: 11)

How to write a Linux virus in 5 easy steps

Here's a weblog posting by "foobar" describing an attack vector for desktop Linux systems. "When you save an email attachment under Linux, the execute flag is normally NOT set and thus, the file can't be executed just by clicking on it. So, no luck? Not so fast. Modern desktop environments, such as Gnome and KDE, conveniently offer a nice 'workaround' called 'launchers'. Those are small files that describe how something should be started. Just a few lines that specify the name, the icon that should be displayed and the actual command to execute. Conveniently, the syntax of those launcher files is the same for Gnome and KDE. And those launchers don't have to have any execute permissions set on them!" Your editor can't resist pointing out that this problem was covered here back in 2006. (Thanks to David Skoll).

Comments (75 posted)

New vulnerabilities

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2008-5510 CVE-2009-0357
Created:February 11, 2009 Updated:February 16, 2009
Description: Firefox 1.5 (and later) suffers from a pair of vulnerabilities. CVE-2008-5510: escaped null characters are not properly handled, allowing script sanitizing processes to be bypassed. CVE-2009-0357: access to cookies is not properly restricted, creating an information disclosure vulnerability.
Alerts:
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Gentoo 201301-01 firefox 2013-01-07
SuSE SUSE-SA:2009:009 MozillaFirefox 2009-02-16
Ubuntu USN-717-1 firefox-3.0, xulrunner-1.9 2009-02-10
Ubuntu USN-717-3 firefox 2009-02-11
Ubuntu USN-717-2 firefox-3.0 2009-02-10

Comments (none posted)

gnumeric: untrusted python modules search path

Package(s):gnumeric CVE #(s):CVE-2009-5983 CVE-2009-0318
Created:February 5, 2009 Updated:April 3, 2009
Description: gnumeric has an arbitrary code execution vulnerability. From the CVE entry: Untrusted search path vulnerability in the GObject wrapper around Python interpreter allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function.
Alerts:
Gentoo 200904-03 gnumeric 2009-04-03
Mandriva MDVSA-2009:043 gnumeric 2008-02-19
Fedora FEDORA-2009-1289 gnumeric 2009-02-05
Fedora FEDORA-2009-1295 gnumeric 2009-02-05

Comments (1 posted)

gpsdrive: multiple vulnerabilities

Package(s):gpsdrive CVE #(s):CVE-2008-4959 CVE-2008-5380 CVE-2008-5703
Created:February 5, 2009 Updated:February 11, 2009
Description: gpsdrive has multiple vulnerabilities that involve insecure temporary file usage. From the Fedora alert: This update removes several helper scripts: geo-code, geo-nearest, and gpssmswatch, which have been removed upstream due to security issues.
Alerts:
Fedora FEDORA-2009-1366 gpsdrive 2009-02-05
Fedora FEDORA-2009-1225 gpsdrive 2009-02-05

Comments (none posted)

gstreamer-plugins: arbitrary code execution

Package(s):gstreamer-plugins CVE #(s):CVE-2009-0398
Created:February 6, 2009 Updated:April 6, 2009
Description: An array indexing error was found in the GStreamer's QuickTime media file format decoding plug-in. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim.
Alerts:
Mandriva MDVSA-2009:086 gstreamer-plugins 2009-04-03
Red Hat RHSA-2009:0269-01 gstreamer-plugins 2009-02-06
CentOS CESA-2009:0269 gstreamer-plugins 2009-02-06

Comments (none posted)

gstreamer-plugins: heap buffer overflow

Package(s):gstreamer-plugins CVE #(s):CVE-2009-0397
Created:February 6, 2009 Updated:July 13, 2009
Description: A heap buffer overflow was found in the GStreamer's QuickTime media file format decoding plug-in. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim.
Alerts:
Gentoo 200907-11 gst-plugins-good 2009-07-12
Ubuntu USN-736-1 gst-plugins-good0.10 2009-03-16
Debian DSA-1729-1 gst-plugins-bad0.10 2009-03-02
SuSE SUSE-SR:2009:005 dhcp, ntp/xntp, squid, wireshark, libpng, pam_mount, enscript, eID-belgium, gstreamer-0_10-plugins-good 2009-03-02
Mandriva MDVSA-2009:035 gstreamer0.10-plugins-good 2009-02-10
CentOS CESA-2009:0270 gstreamer-plugins 2009-02-06
Red Hat RHSA-2009:0271-01 gstreamer-plugins-good 2009-02-06
Red Hat RHSA-2009:0270-01 gstreamer-plugins 2009-02-06

Comments (none posted)

gstreamer-plugins-good: heap buffer overflows

Package(s):gstreamer-plugins-good CVE #(s):CVE-2009-0386 CVE-2009-0387
Created:February 6, 2009 Updated:December 22, 2016
Description: Multiple heap buffer overflows and an array indexing error were found in the GStreamer's QuickTime media file format decoding plugin. An attacker could create a carefully-crafted QuickTime media .mov file that would cause an application using GStreamer to crash or, potentially, execute arbitrary code if played by a victim.
Alerts:
Gentoo 200907-11 gst-plugins-good 2009-07-12
Ubuntu USN-736-1 gst-plugins-good0.10 2009-03-16
Debian DSA-1729-1 gst-plugins-bad0.10 2009-03-02
SuSE SUSE-SR:2009:005 dhcp, ntp/xntp, squid, wireshark, libpng, pam_mount, enscript, eID-belgium, gstreamer-0_10-plugins-good 2009-03-02
Fedora FEDORA-2009-1213 gstreamer-plugins-good 2009-02-05
Fedora FEDORA-2009-1343 gstreamer-plugins-good 2009-02-05
Mandriva MDVSA-2009:035 gstreamer0.10-plugins-good 2009-02-10
Red Hat RHSA-2009:0271-01 gstreamer-plugins-good 2009-02-06
Oracle ELSA-2016-2975 gstreamer-plugins-good 2016-12-21

Comments (none posted)

java-1.6.0-openjdk: privilege escalation

Package(s):java-1.6.0-openjdk CVE #(s):
Created:February 5, 2009 Updated:February 11, 2009
Description: openjdk has a privilege escalation vulnerability. From the Fedora alert: This fixes a default security policy, that allowed unsigned applets to access the gnome-java-bridge, allowing a privilege escalation.
Alerts:
Fedora FEDORA-2009-1373 java-1.6.0-openjdk 2009-02-05

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2009-0031
Created:February 10, 2009 Updated:May 7, 2009
Description: From the Red Hat advisory: A memory leak in keyctl handling. A local user could use this flaw to deplete kernel memory, eventually leading to a denial of service.
Alerts:
Debian DSA-1794-1 linux-2.6 2009-05-06
Debian DSA-1787-1 linux-2.6.24 2009-05-02
CentOS CESA-2009:0331 kernel 2009-04-20
Ubuntu USN-751-1 linux, linux-source-2.6.22 2009-04-07
Red Hat RHSA-2009:0360-01 kernel-rt 2009-03-26
Debian DSA-1749-1 linux-2.6 2009-03-20
Red Hat RHSA-2009:0331-01 kernel 2009-03-12
SuSE SUSE-SA:2009:010 kernel 2009-02-26
Red Hat RHSA-2009:0264-01 kernel 2009-02-10

Comments (none posted)

mod_auth_mysql: SQL injection

Package(s):mod_auth_mysql CVE #(s):CVE-2008-2384
Created:February 11, 2009 Updated:February 11, 2011
Description: The mod_auth_mysql module has a flaw in how it escapes multi-byte-encoded strings, enabling SQL injection attacks.
Alerts:
Fedora FEDORA-2011-0114 mod_auth_mysql 2011-01-04
Fedora FEDORA-2011-0100 mod_auth_mysql 2011-01-04
Red Hat RHSA-2010:1002-01 mod_auth_mysql 2010-12-21
Mandriva MDVSA-2009:189-1 apache-mod_auth_mysql 2009-12-28
Mandriva MDVSA-2009:189 apache-mod_auth_mysql 2009-08-01
Red Hat RHSA-2009:0259-01 mod_auth_mysql 2009-02-11

Comments (none posted)

nss: rogue CA vulnerability

Package(s):nss CVE #(s):CVE-2004-2761
Created:February 5, 2009 Updated:March 18, 2009
Description: nss has a rogue CA vulnerability. From the Fedora alert: This updates adds protection against rogue CA that was generated as a proof-of- concept of the MD5 collision attacks against X509 signatures.
Alerts:
Ubuntu USN-740-1 nss, firefox 2009-03-17
Fedora FEDORA-2009-1291 nss 2009-02-05
Fedora FEDORA-2009-1276 nss 2009-02-05

Comments (none posted)

roundcubemail: cross-site scripting vulnerability

Package(s):roundcubemail CVE #(s):CVE-2009-0413
Created:February 5, 2009 Updated:February 11, 2009
Description: roundcubemail has a cross-site scripting vulnerability. From the CVE entry: Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary web script or HTML via the background attribute embedded in an HTML e-mail message.
Alerts:
Fedora FEDORA-2009-1204 roundcubemail 2009-02-05
Fedora FEDORA-2009-1256 roundcubemail 2009-02-05

Comments (none posted)

squid: denial of service

Package(s):squid CVE #(s):CVE-2009-0478
Created:February 10, 2009 Updated:March 25, 2009
Description: From the Mandriva advisory: Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests. This problem allows any client to perform a denial of service attack on the Squid service.
Alerts:
Gentoo 200903-38 squid 2009-03-24
Debian DSA-1732 squid3 2009-03-03
SuSE SUSE-SR:2009:005 dhcp, ntp/xntp, squid, wireshark, libpng, pam_mount, enscript, eID-belgium, gstreamer-0_10-plugins-good 2009-03-02
Ubuntu USN-724-1 squid 2009-02-25
Fedora FEDORA-2009-1517 squid 2009-02-12
Fedora FEDORA-2009-1526 squid 2009-02-12
Mandriva MDVSA-2009:034 squid 2008-02-10

Comments (none posted)

wicd: privilege escalation

Package(s):wicd/wicd CVE #(s):CVE-2009-0489
Created:February 10, 2009 Updated:April 10, 2009
Description: From the CVE entry: The DBus configuration file for Wicd before 1.5.9 allows arbitrary users to own org.wicd.daemon, which allows local users to receive messages that were intended for the Wicd daemon, possibly including credentials.
Alerts:
Gentoo 200904-12 wicd 2009-04-10
Slackware SSA:2009-040-01 wicd/wicd 2009-02-10

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds