Slashdot Mirror
Flurry of Security Patches
yggy writes "It's been a hectic day on the security patching front. Microsoft's bulletins for July include patches for three critical vulnerabilities on the same day that Mozilla releases new security updates for Firefox and Thunderbird. Not to be left behind, Apple fixed two Tiger flaws while Oracle issued a critical database server update." (See these separate stories on today's release of Firefox 1.0.5 and the 10.4.2 update from Apple, too.)
So today we have a bunch of new patches, which means tomorrow we will have all the exploits being developed and released. The major problem with patches is they often are not installed by end users, and that is the bread and butter of zombie botnets.
Voice your opinion!
...the zlib bug
http://www.frsirt.com/english/advisories/2005/1066
:
:a tch_1.4.1.txt a tch_1.4.1.txt
6 - 2005-002-kdc.txt - 2005-003-recvauth.txt
FrSIRT Advisory : FrSIRT/ADV-2005-1066
CVE Reference : CAN-2005-1174 - CAN-2005-1175 - CAN-2005-1689
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-07-12
* Technical Description *
Multiple vulnerabilities were identified in MIT Kerberos, which could be exploited by remote attackers to execute arbitrary commands or cause a denial of service.
The first issue occurs in the MIT krb5 Key Distribution Center (KDC) implementation when processing specially crafted TCP/UDP requests, which could be exploited by an unauthenticated attacker to cause a denial of service or execute arbitrary code on the KDC host.
The second vulnerability is due to a double-free error in the "krb5_recvauth()" function, which could be exploited by an unauthenticated remote attacker to execute arbitrary code in the context of a program calling the vulnerable function (this includes the kpropd program which typically runs on slave Key Distribution Center hosts).
* Affected Products *
MIT Kerberos 5 version 1.4.1 (krb5-1.4.1) and prior
* Solution *
Upgrade to krb5-1.4.2 release
http://web.mit.edu/kerberos/dist/index.html
Or apply patches
http://web.mit.edu/kerberos/advisories/2005-002-p
http://web.mit.edu/kerberos/advisories/2005-003-p
* References *
http://www.frsirt.com/english/advisories/2005/106
http://web.mit.edu/kerberos/advisories/MITKRB5-SA
http://web.mit.edu/kerberos/advisories/MITKRB5-SA
* Credits *
Vulnerabilities reported by Daniel Wachdorf and Magnus Hagander
Here's some good info that colfer from this MozillaZine thread dug up:
3 0
1 0
7 7
3 2
6 4
3 6
3 1 .ico file
1 8
0 6
5 2
7 0
1 3
7 8
1.0.5 is mainly a security fix, but I have seen a bunch of non-security fixes creep in also, such as removing the default checkbox "yes" for "make firefox my home page." This looks like a big cleanup for the 1.0.x branch, before 1.1 takes over.
I don't know about the security fixes, besides the medium-risk frame/window spoofing thing (with 1.0.4, you should not open untrusted sites at the same time as sensitive sites...). Here are the non-security fixes (non-security as it seems to me) checked in since 1.0.4:
https://bugzilla.mozilla.org/show_bug.cgi?id=2837
"Save As" dialog tries to overwrite link/shortcut (.lnk) file instead of opening the directory/folder
https://bugzilla.mozilla.org/show_bug.cgi?id=2952
Tab title different from window title on initial load at gmail
https://bugzilla.mozilla.org/show_bug.cgi?id=2837
Right arrow key after selecting autocomplete result no longer uses selected item
https://bugzilla.mozilla.org/show_bug.cgi?id=2912
update installer packages should offer unchecked check box for setting start page
https://bugzilla.mozilla.org/show_bug.cgi?id=2910
Helper app dialog incomplete for non-nsStandardURL types
https://bugzilla.mozilla.org/show_bug.cgi?id=2655
(64-bit only issue)
https://bugzilla.mozilla.org/show_bug.cgi?id=2456
Crash loading (particular)
https://bugzilla.mozilla.org/show_bug.cgi?id=1418
Table with large rowspans and colspans hangs the browser
https://bugzilla.mozilla.org/show_bug.cgi?id=2880
Drag image across browser windows --> crash
https://bugzilla.mozilla.org/show_bug.cgi?id=2950
Obscure Javascript crash
https://bugzilla.mozilla.org/show_bug.cgi?id=2962
Default user agent problem (AIX platform only)
https://bugzilla.mozilla.org/show_bug.cgi?id=2808
Crash on OS/2 platform
https://bugzilla.mozilla.org/show_bug.cgi?id=2937
bookmarks toolbar missing in 2nd opened window, links in second window possibly cause crash
Actually, it's the other day around. This is Microsoft Tuesday, patch day for them every month. It's the F/OSS world that is releasing patches at the same time as MS.
But wait, Firefox has security holes? And OS X too? But from the comments on slashdot, I was under the impression only Microsoft had security flaws...
Oh, I think I understand now. Only windows sucks when it has security holes and Open Source programs don't suck when they have security holes because they're better than closed source and the patch came out fast... or something. Gotcha.
Microsoft sucks because they release software that needs security patches. Linux rulez!
....that msft waited until the end of day to release the patches. Every time they release during the day it boggs down the network, to the point of really hindering productivity, its especially crappy when they release in the morning, because then its usually bad all day.
Look at the calendar.
Blackhat / DEFCON is at the end of the month in Vegas. This is the scheduled patch release day (at least for MS) before the event.
The vendors have more than likely been notified by the "researchers" who discovered the issues, and are releasing their fixes on a coordinated schedule.
when microsoft releases security updates, it's cuz the software is crap. when others do it, it's cuz the software rocks. no double standards here. maybe it's like when girls get naked. if she's good looking, makes it better. if your she's bad looking, much worse. microsoft may be bloated, but needs love just like everyone else.
After taking to Apple tech support about my X11 problem, and having them refuse to help, I guess I'll just have to follow the MS support path and re-install the OS.
The sysadmin mantra lives on: All operating systems suck, they just suck differently.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
Ah yes, the wisdom of the AC...
If I was 'in my right mind' I'd be living in Fiji taking tourists on scuba tours of the soft corals. Since I'm not, I stay in SF and buy shiny toys; and I maintian the right to bitch about them if they don't work as expected. And I've got the balls to do it with a real login account.
-Chris
-- This sig is only a test. If this were a real sig it would say something witty. --
they continue making progress with the bug fixes. For me, FF is feature packed enough. I'd prefer to see some more work on the update facilities and performance when running on Linux (fix the RAM usage and crashes please). I like FF because it's light, I don't want more bloatware. The FF team need to remember that we can switch back to IE, or to Opera or something else, just as easily as we switched to FF. Many FF users aren't in it to snub MS (they're both free browsers, it's not like they lose money), they're using it cause it's a safer, more stable product. The second that changes, I and many like me go elsewhere.
Anyone that claims open source is entirely free of bugs is dreaming and/or misinformed.
The beautiful part is the speed at which critical bugs in OSS are corrected after being discovered.
One of the things I noticed last week was that Windows Update... had been updated. It's now a new stylized webpage and it works a little differently - in that, it doesn't. My Windows 2000 Pro machine refuses to install anything that's been downloaded with the "new" Windows update. They refer you to the help section if installation fails, and after trying all of the help suggestions I just gave up, nothing worked.
d efault.asp
The only thing that does work (for me anyway)is the old URL: http://v4.windowsupdate.microsoft.com/catalog/en/
No telling how long we have until Microsoft disables it and forces everyone over to a new system that doesn't work. I've always liked, or at least tolerated Windows and I've never understood why everyone here *hates* Microsoft. Now I get it. Hopefully someone will find the above url useful if they have problems.
that the Amiga is the most secure platform out there.
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
Most of the exploits are written AFTER the patches come out. Most exploit writers just look at the patch, see what it fixes, and then figure out the vulnerability. So the patches don't really need to be released immediately. (This is the practical reality, of course there are others who find this plan to be horrible, but it works for me.)
I really like this once a month patch cycle. I get an idea that maybe they plan the patches a little better, and test them more.
Maybe EA should have done that with Battlefield 2, instead of trying to rush a patch out.
No reason to lie.
You think so? Check out the patch list for FF 1.05
l nerabilities.html#Firefox
http://www.mozilla.org/projects/security/known-vu
12 vulnerabilities in this patch, the oldest was created in APRIL! And it's marked as high severity.
The newest we don't know, because Mozilla is keeping it hidden until July 20th, but if you take the Bugzilla report number, and add one to it you can get the bug that was created directly after it, and that was created in MAY!
So yes, Mozilla DOES sit on critical bugs for months.
If you need web hosting, you could do worse than here
Out of curisity, what do you consider "quickly"?
l nerabilities.html#Firefox
http://www.mozilla.org/projects/security/known-vu
Let's look at the most recent vulnerability there, MFSA-2005-56. Unfortunately, the details are being hidden until July 20th. However, we can see the Bugzilla report numbers. The first, 294795, won't let me view it. But if we view 294796, the bug created right after we see it was created on May 19th. Nearly 2 months ago.
Is 2 months "quickly"?
You seem to be blindly making assumptions without bothering to check the facts.
This is NOT evidence that Open Source fixes bugs quickly. If anything, it proves that just like Closed source, they can keep the bugs quiet and sit on them as long as they like.
If you need web hosting, you could do worse than here
Among the other fixes, Firefox 1.0.5 contains a patch to CAPS (Configurable Access Policies) that finally eliminates crashes reported by users of the NoScript extension. This should make Firefox users even more safe: its "whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality"...
It only passes if you use a nightly. A shipped release has never passed the acid 2 test.
save the GNUs!
There was also a high priority update for Microsoft Office in addition to the 3 OS patches. Nothing critical, just updated spam definitions.
Quote:
Update for Outlook 2003 Junk Email Filter (KB895658)
This update provides the Junk E-mail Filter in Microsoft Office Outlook 2003 with a more current definition of which e-mail messages should be considered junk e-mail. This update was released in July 2005.
I'm using the new Microsoft Update (as opposed to Windows and Office separately) and so should you. And yes, according to their FAQ it adds Office to Windows automatic update.
Link: http://update.microsoft.com/
I noticed that every time after I post something on /. I get a line like this in my web server log:
slashdot.org - - [23/Jun/2005:21:58:59 +0200] "GET http://ask.slashdot.org/ok.txt HTTP/1.0" 404 200 "-" "libwww-perl/5.803"
No idea what it is supposed to accomplish, but I assume that that is what your firewall is complaining about.
(Note: slashcode converted the URL above into a link, obviously the logfile entry is just a plaintext URL.)
JP
Hey, how'd you know I was drinking Kool-Aid?! Damn, you're a jeenyus!
No sysadmin in his right mind runs OSX.
Brilliant! Can't wait for more! I can tell this is gonna be a fact-filled, detailed primer on what to do right. Give me the straight dope, dude. I'm waiting for it.
Unless he doesn't want *real* support.
Ah, yes. I get it. What you mean is that if you buy Apple products, you won't get *real* support. I don't know what that means or who does provide *real* support, but I guess that's because I'm a dipshit. Damn! I hate when that happens!
Or performance.
I thought Apple hardware was sexy, but I guess it doesn't really "put out" the way other hardware does. I don't need factual comparisons. You're teaching me a lot here. I can't wait to read the next kernel of wisdom.
Or security.
Yeah, OS X is a fucking sieve! If it's not trojan horses it's Mail.app viruses and malware. Every zombie machine out there is running OS X. It's a plague on us all. Fucking Apple!
Or configurability.
I never thought about that, but you're so right. That one configuration fits all XServe sucks major goat ass.
Or standards.
You said it, buddy! I wish Apple would get with the program. I mean, I can run WebStar on OS 8, but why don't they wake up and smell the coffee? It's 1996, and the world is changing. If Apple doesn't wake up, this World Wide Web thing is going to really catch them off guard.
Or a real journaling file system.
That's like *real* support, right? You must mean that HFS+ isn't *real*. I think I'm starting to understand, but you're so brilliant you may have to slow down so I can catch up.
Or real hardware.
Ah, I'm on to you now, you clever sysad, you! This is another one of those "it's not *real*" things. It looks like the hardware is there, doing its job, but it's actually not.
Thanks for clearing this all up, AC. I really learned a lot, and am looking forward to more comments from you. It's going to be tough to read them all though, because you sure are prolific!
Read the EFF's Fair Use FAQ