Hi Soneone has forwarded this on from another list and I wondered if there's a serious risk? From: "Martin Roberts" <martin@xxxxxxxxxxxxxxx> Subject: FW: (Access-UK) - Flaw leaves Linux computers vulnerable Date: Tue, 12 Mar 2002 10:22:50 +0000 -----Original Message----- From: Dj Paddy [mailto:t.toner@xxxxxxxxxxxx] Sent: 12 March 2002 01:01 To: Dj Paddy Subject: (Access-UK) - Flaw leaves Linux computers vulnerable Flaw leaves Linux computers vulnerable By Robert Lemos Staff Writer, CNET News.com March 11, 2002, 2:10 PM PT update A flaw in a software-compression library used in all versions of Linux could leave the lion's share of systems based on the open-source operating system open to attack, said sources in the security community on Monday. Several other operating systems that use open-source components are vulnerable too varying degrees as well. The software bug--known as a double-free vulnerability--causes key memory-management functions in the zlib compression library to fail, a condition that could allow a smart attacker to compromise computers over the Internet, said Dave Wreski, director for open-source security company Guardian Digital. flashframe frame frame They came in search of better software. They came in search of better software. frame end flashframe frame end "It is just a matter of time before an exploit is developed," Wreski said. The flaw, discovered by Linux user Matthias Clasen and Owen Taylor, an engineer at Linux-software company Red Hat, affects any Linux program that uses the zlib library for decompression, including the core software of the operating system, the kernel. Because the problem is in a library--a set of code that can be shared by any application that links to it--multiple programs could be affected by the flaw. In fact, many non-Linux operating systems use the library, making them vulnerable as well, said Mark Cox, senior director of engineering at Red Hat. "Zlib is used on all sorts of operating systems: the BSDs and even Solaris," Cox said. "While any operating system that uses the library is affected, the ability to exploit the vulnerability depends on the operating system." The graphical basis for the Linux desktop, X11, uses the library, as does the common software foundation for the Linux-based Netscape and Galeon browsers. Many image-editing programs, which use the library for compression, also will be affected by the flaw. The library's functions are "used in network compression, so connecting to untrusted services could allow a hostile site to allocate space in a way that triggers a buffer overflow," Wreski said. "Because the vulnerability is in a library, that means that the attacker has to identify programs that use the library," said Dave Ahmad, threat analysis manager for security information company SecurityFocus. "There are also a bunch of applications that borrow code from the library." Weaving the code directly into another application--known as statically linking--means that fixing the programs is much more difficult. Where simply installing a new version of the zlib software on systems will repair the flaw in applications that merely access the library, any program that has borrowed the code itself will have to be patched on its own. Known as a "double-free vulnerability," the software bug causes programs that use the zlib compression library to behave unpredictably when a malicious program tries to free memory more than once. Most legitimate programs wouldn't try to repeatedly free memory except by accident, but attackers could use such a technique to attempt to force the operating system to run code designed to take over the computer. Originally, Clasen, a Linux user, found the problem when an image he had created in the open-source Portable Network Graphics, or PNG, format crashed a popular image program. When notified of the problem, Red Hat's Taylor discovered that the issue wasn't with the program but the library used for decompression. "Owen found that it was a bigger problem than was first thought," said Red Hat's Cox. "At that stage, we realized that there was a significant security hole." Red Hat worked with the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University to disseminate information about the flaw to software companies. CERT/CC is expected to release more information Monday afternoon, but would not comment on the vulnerability. E-mail story Print story Send us news tips Also from CNET Networks Builder.com, the most comprehensive new software development site Try Computer Shopper Magazine for Free, click here! Search the newest job listings right now ZDNet Tech Update: Cut telecom costs in half Palm makes a colorful entrance with two new PDAs Search News.com Go! Latest Headlines display on desktop DoubleClick unloads e-mail list unit HP merger wins another endorsement Study: Broadband demand "strong" Oracle enhances hosted business apps Cisco disclosing more in filings SEC requests WorldCom documents Hatch asks music stores for feedback Compaq, Lucent look to wireless future HP, Compaq: Sales to guide product picks Financial services sector drives up Dow New drives rewrite HP DVD+RW line HP director: Big shareholders like merger Savoring Spam: A true story Behind the broadband access fight Broadband battle stalling, switching tack Sabre: Expedia beating Travelocity Wells Fargo latest target in scams Sony releases two new handhelds Dell drops plan to sell Unisys server Infineon boosts memory chip output This week's headlines News Tools Get news by PDA Get news by mobile Listen live to CNET Radio CNET News.com Newsletters Stay on top of the latest tech news. News.com Daily Dispatch News.context (weekly) Investor Daily Dispatch Your e-mail here Sign me up! More Newsletters Send us news tips | Contact Us | Corrections | Privacy Policy frontdoor/0-1 Featured services: Tax software | Computer Shopper magazine | Tech jobs | Free newsletters | Popular products CNET Networks: Builder | CNET | GameSpot | mySimon | TechRepublic | ZDNet About CNET Copyright ?1995-2002 CNET Networks, Inc. All rights reserved. CNET Jobs ------------------------ Yahoo! Groups Sponsor ---------------------~--> Access Your PC from Anywhere Full setup in 2 minutes! - Free Download http://us.click.yahoo.com/Y8IZpD/2XkDAA/yigFAA/dpFolB/TM ---------------------------------------------------------------------~-> To unsubscribe from this list, send a blank message with no subject heading or text in the body to access-uk-unsubscribe at yahoogroups.co.uk Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ Gena ______________________________________________________________________ Please Note: All html messages are automatically deleted as they are considered to be a security risk. Announcing Blindness Advocacy and Self-Help Online [BASHOnline] www.bashonline.org you can join the mailing list by sending a message to: bashonline-subscribe at yahoogroups.com Personal site: www.gena-j.net Contact Info: MSN ID: gena1959uk at hotmail.com (No mail to this address please) it will not be read: ICQ ID: 144169465:
