Security
Security Vulnerabilities in Sharp Zaurus
On July 10th, a report of remote filesystem access and screen-locking passcode disclosure vulnerabilities in Sharp Zaurus was released by the Syracuse University Center for Systems Assurance. The first is a little scary: the sync service gives anybody with network access to the Zaurus (through a wireless net, say) the ability to overwrite any file on the filesystem. The second is a problem with relatively weak encryption of passwords. It was pointed out, on posts to BugTraq, that Sharp did mitigate, but not resolve, the remote filesystem access risk by restricting access to the vulnerable port.Sharp has apparently known about these problems for more than a month, but no update is yet available that fixes them. The Zaurus developer community apparently knew about the remote filesystem access vulnerability as early as March 29th. An independently compiled list of problems with the Zaurus, that last updated May 6th, includes the remote filesystem access vulnerability and some pointed comments on Sharp's management.
The Zaurus SL5000D and SL5500 are palmtop computers with great potential, but the maker, Sharp Electronics, has botched several things and has not taken any steps to deal with the issues even though they have had feedback about most of the problems below on the developer web site for months. Unfortunately Sharp has not answered the concerns raised by developers during the beta period. The SL5500 is now a released product and the general public will begin to run into these problems. It is sad that Sharp has refused to fix the problems with their unit as the Zaurus may be a first introduction to Linux/Unix systems for many users. The problems the Zaurus has will give the false impression to new users that the problems are with Linux in general rather than with the choices that Sharp made in implementing Linux on the Zaurus.
Richard Shim reported on the security vulnerabilities for News.com, including his own comments on Sharp's management of Zaurus development.
Linux is an open-source operating system, giving developers equal access to the code. Many consider that an advantage in a situation like this, as security flaws are found quickly and fixes and other software improvements can be added by a whole community of programmers, not just those employed by a particular company. However, Sharp has not released the source code for the Zaurus' particular operating system to the open-source community, nor has it integrated any community updates to its OS, choosing instead to go a more proprietary route.
[...]
"Sharp committed to Linux and the open-source community, but they've realized that they don't want to live the lifestyle," said a source familiar with the company's plans.
Brief items
Linux attacks on the rise? (Register)
The Register speaks about a recent security study from security consultancy Mi2g. "Attacks on Linux and open source Web applications appear to have risen sharply this year, while attacks on Windows systems are markedly down. That's the conclusions of a study by security consultancy mi2g after it compiled a database on attacks culled from data from defacement archives (such as alldas.org), hacker bulletin boards and 'information from automatic robots'."
Hack attacks on Linux on the rise (News.com)
News.com writes about a report by U.K.security consultancy MI2g that claims that successful hacks on Linux web servers are on the rise. "In the past, hackers and virus writers have largely focused their efforts on the Windows platform, as its dominance on desktop PCs makes it a ready target. However, Linux has a large share of the Web server market, and Linux server applications are often vulnerable to attack because of mismanagement, according to the study."
Debian GNU/Linux 2.2 updated (r7)
This is the seventh revision of Debian GNU/Linux 2.2 (codename `potato') which mainly adds security updates to the stable release, along with a few corrections of serious bugs.Cyberterrorists don't care about your PC (ZDNet)
ZDNet looks at vulnerabilities in SCADA systems "Currently, power grids, dams, and other industrial facilities are monitored by Supervisory Control and Data Acquisition (SCADA) systems; approximately three million of these exist throughout the world. Based on telemetry and simple data acquisition, they give scant regard to security, often lacking the memory and bandwidth for sophisticated password or authentication systems. SCADA typically runs on DOS, VMS, and Unix platforms, although vendors are now shipping Windows NT and Linux versions, as well."
July CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for July is out; it looks at security threats to embedded devices, the "Perrun" virus, and more. "I have long suspected a cozy little link between virus writers and antivirus software makers. The latter certainly needs the former, both to keep viruses in the news and to provide a steady revenue stream from updates. And here's an example of them sharing information."
Security reports
CARE 2002 file disclosure and sql injection vulnerabilities
CARE 2002 version 1.0.0.2 fixes file disclosure and sql injection vulnerabilities. CARE 2002 is an open source software package for hospitals, clinics and private medical practices. The first beta version of CARE 2002 was created by Elpidio Latorilla.Double Choco Latte multiple vulnerabilities
Ulf Harnhammar reports file upload, file download and cross site scripting vulnerabilities in Double Choco Latte which are fixed in version 20020706.
Double Choco Latte is a package that provides basic project
management capabilities, time tracking on tasks, call tracking,
email notifications, online documents, statistical reports,
a report engine, and more features are either working or being
developed/planned. It is licensed under the GPL (GNU Public License),
which means it is free to study, distribute, modify, and use.
Vulnerabilities in the GoAhead Web Server
Matt Moore reports two vulnerabilities in GoAhead Web Server v2.1:- Cross Site Scripting via 404 messages.
- Read arbitrary files from the server running GoAhead(Directory Traversal)
New vulnerabilities
libpng buffer overflow vulnerability
| Package(s): | libpng libpng2 libpng3 | CVE #(s): | |||||||||
| Created: | July 17, 2002 | Updated: | August 19, 2002 | ||||||||
| Description: | Versions of libpng prior to
1.2.4 and 1.0.14 have a buffer
overflow vulnerability that could lead to remote code execution.
Since libpng is used by programs that talk to the outside
world (i.e. mozilla), it is worth upgrading.
libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over five years.
| ||||||||||
| Alerts: |
| ||||||||||
Resources
Flawfinder 1.20, a security auditing tool for C/C++
David A. Wheeler has released Flawfinder version 1.20, "a tool that examines C/C++ code and reports possible security flaws in the code (sorted by risk level)."
Flawfinder works by using a built-in database of C/C++ functions with well-known problems,
such as buffer overflow risks (e.g., strcpy(), strcat(), gets(), sprintf(), and the scanf() family),
format string problems ([v][f]printf(), [v]snprintf(), and syslog()), race conditions (such as access(),
chown(), chgrp(), chmod(), tmpfile(), tmpnam(), tempnam(), and mktemp()), potential shell metacharacter
dangers (most of the exec() family, system(), popen()), and poor random number acquisition (such as random()).
Linux Advisory Watch
The July 12th Linux Advisory Watch newsletter from LinuxSecurity.com is available.Papers from the 11th USENIX Security Symposium
A number of interesting papers considering security and open source will be presented at the 11th USENIX Security Symposium the week of August 5th in San Francisco, California, USA. We noticed a few that have already been released by the authors.-
Linux Security Modules: General Security Support for the Linux Kernel (HTML format).
"
The Linux Security Modules (LSM) project has developed a lightweight, general purpose, access control framework for the mainstream Linux kernel that enables many different access control models to be implemented as loadable kernel modules. A number of existing enhanced access control implementations, including Linux capabilities, Security-Enhanced Linux (SELinux), and Domain and Type Enforcement (DTE), have already been adapted to use the LSM framework. This paper presents the design and implementation of LSM and discusses the challenges in providing a truly general solution that minimally impacts the Linux kernel.
" -
Linux Security Module Framework
(PDF format).
"
This paper presents the design and implementation of the LSM framework, a discussion of performance and security impact on the kernel, and a brief overview of existing security modules.
" -
Deanonymizing Users of the SafeWeb Anonymizing Service
(PDF
format).
"
The SafeWeb anonymizing system has been lauded by the press and loved by its users; self-described as "the most widely used online privacy service in the world," it served over 3,000,000 page views per day at its peak. SafeWeb was designed to defeat content blocking by firewalls and to defeat Web server attempts to identify users, all without degrading Web site behavior or requiring users to install specialized software. In this paper we describe how these fundamentally incompatible requirements were realized in SafeWeb's architecture, resulting in spectacular failure modes under simple JavaScript attacks.
" -
Secure Execution Via Program Shepherding
(PDF
format).
"
We introduce program shepherding, a method for monitoring control flow transfers during program execution to enforce security policies. Program shepherding provides three techniques as building blocks for security policies. [...] This system operates on unmodified native binaries, requires no special hardware or operating system support, and runs on existing IA-32 machines under both Linux and Windows.
" -
Setuid Demystified
(PDF
format).
"
Access control in Unix systems is mainly based on user IDs, yet the system calls that modify users IDs (uid-setting system calls), such as setuid, are poorly designed, insufficiently documented, and widely misunderstood and misused. This has caused many security vulnerabilities in application programs. [...] Finally, we provide general guidelines on the proper usage of the uid-setting system calls, and we propose a high-level API that is more comprehensible, usable, and portable than the usual Unix API.
" -
Infranet: Circumventing Web Censorship and Surveillance
(PDF format).
"
An increasing number of countries and companies routinely block or monitor access to parts of the Internet. To counteract these measures, we propose Infranet, a system that enables clients to surreptitiously retrieve sensitive content via cooperating Web servers distributed across the global Internet.
" -
Trusted Paths for Browsers: An Open-Source Solution to Web Spoofing
(PDF
format).
"
The security of the vast majority of "secure" Web services rests on SSL server PKI. However, this PKI doesn't work if the adversary can trick the browser into appearing to tell the user the wrong thing about the certificates and cryptography. [...] This paper reports the results of our work to systematically defend against Web spoofing, by creating a trusted path from the browser to the user.
"
Events
Black Hat Briefings 2002 Keynote Speakers
Black Hat Inc has announced the keynote speakers for Black Hat Briefings 2002 coming up July 31st to August 1st in Las Vegas, Nevada, USA.Upcoming Security Events
| Date | Event | Location |
|---|---|---|
| July 31 - August 1, 2002 | Black Hat Briefings 2002 | (Caesars Palace Hotel and Resort)Las Vegas, NV, USA |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
| August 6 - 9, 2002 | CERT Conference 2002 | Omaha, Nebraska, USA |
| August 19 - 21, 2002 | Canadian Security & Intelligence Conference(CSICON) | (Hyatt Regency)Calgary, Alberta Canada |
| August 28 - 30, 2002 | Workshop on Information Security Applications(WISA 2002) | Jeju Island, Korea |
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Next page:
Kernel development>>