Security - could someone explain?

Georgina gena at gena-j.net
Tue Mar 12 09:02:18 EST 2002


Hi

Soneone has forwarded this on from another list and I wondered if
there's a serious risk?

From:    "Martin Roberts" <martin at mproberts.co.uk>
Subject: FW: (Access-UK) - Flaw leaves Linux computers vulnerable
Date:    Tue, 12 Mar 2002 10:22:50 +0000


-----Original Message-----
From: Dj Paddy [mailto:t.toner at ntlworld.com]
Sent: 12 March 2002 01:01
To: Dj Paddy
Subject: (Access-UK) - Flaw leaves Linux computers vulnerable


Flaw leaves Linux computers vulnerable

By
Robert Lemos
Staff Writer, CNET News.com
March 11, 2002, 2:10 PM PT

update A flaw in a software-compression library used in all versions of
Linux could leave the lion's share of systems based on the open-source
operating
system open to attack, said sources in the security community on Monday.

Several other operating systems that use open-source components are
vulnerable too varying degrees as well.

The software bug--known as a double-free vulnerability--causes key
memory-management functions in the zlib compression library to fail, a
condition that
could allow a smart attacker to compromise computers over the Internet, said
Dave Wreski, director for open-source security company Guardian Digital.

flashframe frame

 frame
They came in search of better software.
They came in search of better software.
 frame end
flashframe frame end

"It is just a matter of time before an exploit is developed," Wreski said.

The flaw, discovered by Linux user Matthias Clasen and Owen Taylor, an
engineer at Linux-software company Red Hat, affects any Linux program that
uses the
zlib library for decompression, including the core software of the operating
system, the kernel.

Because the problem is in a library--a set of code that can be shared by any
application that links to it--multiple programs could be affected by the
flaw.
In fact, many non-Linux operating systems use the library, making them
vulnerable as well, said Mark Cox, senior director of engineering at Red
Hat.

"Zlib is used on all sorts of operating systems: the BSDs and even Solaris,"
Cox said. "While any operating system that uses the library is affected, the
ability to exploit the vulnerability depends on the operating system."

The graphical basis for the Linux desktop, X11, uses the library, as does
the common software foundation for the Linux-based Netscape and Galeon
browsers.
Many image-editing programs, which use the library for compression, also
will be affected by the flaw.

The library's functions are "used in network compression, so connecting to
untrusted services could allow a hostile site to allocate space in a way
that
triggers a buffer overflow," Wreski said.

"Because the vulnerability is in a library, that means that the attacker has
to identify programs that use the library," said Dave Ahmad, threat analysis
manager for security information company SecurityFocus. "There are also a
bunch of applications that borrow code from the library."

Weaving the code directly into another application--known as statically
linking--means that fixing the programs is much more difficult. Where simply
installing
a new version of the zlib software on systems will repair the flaw in
applications that merely access the library, any program that has borrowed
the code
itself will have to be patched on its own.

Known as a "double-free vulnerability," the software bug causes programs
that use the zlib compression library to behave unpredictably when a
malicious
program tries to free memory more than once. Most legitimate programs
wouldn't try to repeatedly free memory except by accident, but attackers
could use
such a technique to attempt to force the operating system to run code
designed to take over the computer.

Originally, Clasen, a Linux user, found the problem when an image he had
created in the open-source Portable Network Graphics, or PNG, format crashed
a
popular image program. When notified of the problem, Red Hat's Taylor
discovered that the issue wasn't with the program but the library used for
decompression.

"Owen found that it was a bigger problem than was first thought," said Red
Hat's Cox. "At that stage, we realized that there was a significant security
hole."

Red Hat worked with the Computer Emergency Response Team (CERT) Coordination
Center at Carnegie Mellon University to disseminate information about the
flaw
to software companies.

CERT/CC is expected to release more information Monday afternoon, but would
not comment on the vulnerability.

E-mail story
Print story
Send us news tips
Also from CNET Networks
Builder.com, the most comprehensive new software development site
Try Computer Shopper Magazine for Free, click here!
Search the newest job listings right now
ZDNet Tech Update: Cut telecom costs in half
Palm makes a colorful entrance with two new PDAs

 Search


   News.com
Go!

Latest Headlines
display on desktop
DoubleClick unloads e-mail list unit
HP merger wins another endorsement
Study: Broadband demand "strong"
Oracle enhances hosted business apps
Cisco disclosing more in filings
SEC requests WorldCom documents
Hatch asks music stores for feedback
Compaq, Lucent look to wireless future
HP, Compaq: Sales to guide product picks
Financial services sector drives up Dow
New drives rewrite HP DVD+RW line
HP director: Big shareholders like merger
Savoring Spam: A true story
Behind the broadband access fight
Broadband battle stalling, switching tack
Sabre: Expedia beating Travelocity
Wells Fargo latest target in scams
Sony releases two new handhelds
Dell drops plan to sell Unisys server
Infineon boosts memory chip output
This week's headlines

News Tools

Get news by PDA
Get news by mobile
Listen live to CNET Radio

CNET News.com Newsletters
Stay on top of the latest tech news.

News.com Daily Dispatch

News.context (weekly)

Investor Daily Dispatch
Your e-mail here

Sign me up!

More Newsletters
Send us news tips |
Contact Us |
Corrections |
Privacy Policy
frontdoor/0-1
Featured services:
Tax software |
Computer Shopper magazine |
Tech jobs |
Free newsletters |
Popular products

  CNET Networks:
Builder |
CNET |
GameSpot |
mySimon |
TechRepublic |
ZDNet
About CNET
Copyright
©1995-2002 CNET Networks, Inc. All rights reserved.
CNET Jobs



------------------------ Yahoo! Groups Sponsor ---------------------~-->
Access Your PC from Anywhere
Full setup in 2 minutes! - Free Download
http://us.click.yahoo.com/Y8IZpD/2XkDAA/yigFAA/dpFolB/TM
---------------------------------------------------------------------~->

To unsubscribe from this list, send a blank message with no subject heading
or text in the body to

access-uk-unsubscribe at yahoogroups.co.uk



Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/





Gena
______________________________________________________________________
Please Note:
All html messages are automatically deleted as they are considered to be a 
security risk.

Announcing Blindness Advocacy and Self-Help Online [BASHOnline]
www.bashonline.org you can join the mailing list by sending a message to: 
bashonline-subscribe at yahoogroups.com

Personal site:  www.gena-j.net

Contact Info:  MSN ID: gena1959uk at hotmail.com (No mail to this address
please) it will not be read:  ICQ ID:  144169465:





More information about the Speakup mailing list