Sendmail Inc. has
announced
the availability of a test implementation of the "Sender ID" email
specification. Sender ID is the result of a combination of
SPF and Microsoft's Sender ID system. The
mechanism uses information stored in domain name service records to verify
whether a message can really have come from its claimed source address.
This technology is being promoted as an anti-spam measure, but it is
unlikely to do much to reduce spam. What it can do is to cut back
on spoofed email. It will thus be effective against phishing attacks and
forged return addresses in general. It will do nothing about email sent
from domains without SPF records, spammer domains, or messages sent from
worm-infected systems.
There is one thing potential users should know about this technology,
however: it is patented by Microsoft. There is nothing in the Sendmail
press release, the
sender authentication FAQ, or anywhere else on sendmail.net about this
patent. But the fact is that Microsoft is claiming that a patent license
is required to use or distribute code which implements the Sender ID
specification.
Microsoft has published a
royalty-free license agreement (PDF format). The license allows the
implementation, use, and distribution of code using the patented
techniques, but "solely for the purpose of conforming with the Sender ID
Specification." This agreement is clearly a contract - it must be signed
and returned to Microsoft to be effective. In theory, anybody who uses the
Sender ID code without having signed the agreement is infringing the
patent. One would think that Sendmail, Inc. would have wanted to mention this
little fact.
There is nothing in the license which would allow Microsoft to terminate it
- unless the user sues Microsoft for patent infringement. Microsoft could,
however, change the license in the future, and anybody using the software
without a signed license would be affected by the change. Running
security-related software which has possible future licensing problems is a
security risk in itself. Sender authentication would be a worthwhile
improvement to the email system, but, perhaps, we need to look for another
way to implement that capability.
Comments (11 posted)
Brief items
Black Box Voting is
reporting a back
door found in the Diebold GEMS central tabulator - the system which
collects totals from electronic voting machines and spits out the bottom
line. "
By entering a 2-digit code in a hidden location, a second set
of votes is created. This set of votes can be changed, so that it no longer
matches the correct votes. The voting system will then read the totals from
the bogus vote set. It takes only seconds to change the votes, and to date
not a single location in the U.S. has implemented security measures to
fully mitigate the risks.
" There is
a second page with
some light technical information; it seems the system runs on Microsoft
Access.
Comments (30 posted)
New vulnerabilities
acrobat: errors in uuencode
| Package(s): | acrobat |
CVE #(s): | CAN-2004-0630
CAN-2004-0631
|
| Created: | August 26, 2004 |
Updated: | September 1, 2004 |
| Description: |
iDEFENSE has reported that Adobe Acrobat Reader 5.0 contains a buffer
overflow when decoding uuencoded documents. An attacker could execute
arbitrary code on a victim's machine if a user opens a specially crafted
uuencoded document. This issue poses the threat of remote execution, since
Acrobat Reader may be the default handler for PDF files. The Common
Vulnerabilities and Exposures project has assigned the name CAN-2004-0631
to this issue.
iDEFENSE also reported that Adobe Acrobat Reader 5.0 contains an input
validation error in its uuencoding feature. An attacker could create a
file with a specially crafted file name which could lead to arbitrary
command execution on a victim's machine. The Common Vulnerabilities and
Exposures project has assigned the name CAN-2004-0630 to this issue. |
| Alerts: |
|
Comments (none posted)
gaim: arbitrary code execution
| Package(s): | gaim |
CVE #(s): | |
| Created: | August 30, 2004 |
Updated: | September 1, 2004 |
| Description: |
Gaim fails to do proper bounds checking in several instances. An attacker
could crash Gaim or execute arbitrary code or commands with the permissions
of the user running Gaim. |
| Alerts: |
|
Comments (1 posted)
kernel: integer overflow
| Package(s): | kernel |
CVE #(s): | |
| Created: | September 1, 2004 |
Updated: | September 1, 2004 |
| Description: |
The 2.6 kernel NFS and XDR code contains a number of integer overflow vulnerabilities which could be exploited (from a trusted address) for a denial of service attack. |
| Alerts: |
|
Comments (none posted)
krb5: double-free and ASN.1 parsing
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0642
CAN-2004-0643
CAN-2004-0644
CAN-2004-0772
|
| Created: | August 31, 2004 |
Updated: | September 21, 2004 |
| Description: |
Several double-free bugs were found in the Kerberos 5 KDC and libraries. A
remote attacker could potentially exploit these flaws to execute arbitrary
code. See CAN-2004-0642, CAN-2004-0643 and CAN-2004-0772. An infinite
loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote
attacker may be able to trigger this flaw and cause a denial of
service. See CAN-2004-0644. See this CERT
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
MoinMoin: Group ACL bypass
| Package(s): | MoinMoin |
CVE #(s): | |
| Created: | August 26, 2004 |
Updated: | September 1, 2004 |
| Description: |
MoinMoin contains a flaw that may allow a remote attacker to gain access to
unauthorized privileges. The issue is triggered due to a unspecified
function failing within the program, which could allow anonymous users to
gain administratively privileges, resulting in a loss of integrity. See
this OSVDB
advisory for more details. This has been fixed in MoinMoin version
1.2.3. |
| Alerts: |
|
Comments (none posted)
vpopmail: multiple vulnerabilities
| Package(s): | vpopmail |
CVE #(s): | |
| Created: | September 1, 2004 |
Updated: | September 1, 2004 |
| Description: |
Versions of vpopmail prior to 5.4.6 suffer from a number of SQL injection, buffer overflow, and format string vulnerabilities. |
| Alerts: |
|
Comments (none posted)
Page editor: Jonathan Corbet
Next page:
Kernel development>>
