Based on the number of vulnerabilities announced in 2002 that affect operating systems, the SCO Unix, Apple Macintosh and Compaq Tru64 Operating Systems appear to be the least prone to hacker attack and damage from viruses and worms. This is one of the startling conclusions of the end-of-October 2002 analysis of digital attacks to be released on 1st November.
Privacy, Security Archive
Critics have slated a Microsoft document on its upcoming Palladium digital rights software as containing several outright "lies". The 1,500-word frequently asked questions (FAQs) paper gives some details about how Palladium will work and how it relates to digital rights management and the Trusted Computing Platform Alliance. Read the rest at VNUnet. Update: Another article about Palladium, here.
Is open source software more secure? To most Linux enthusiasts, the answer is obvious: open source means more people can look for bugs and a faster dissemination of bug fixes. Obviously, yes. But noted security expert Gene Spafford says that this may not necessarily be true. According to the Purdue professor of computer science and co-author of Practical Unix & Internet Security, good security begins with good design and neither Windows nor Linux have much to brag about in that category.
Ramen, Slapper, Scalper and Mighty may sound like Santa's new team of reindeer, but they are creatures far lower down the evolutionary ladder -- and much less welcome. These are worms that have infiltrated Linux servers in recent months, commandeering the servers for use in distributed denial-of-service attacks. Linux enthusiasts who once believed they were less vulnerable to attack than Microsoft users have begun to wonder whether they were overly optimistic. Read the article at NewsFactor.
"Intel is to embed certificates into the processor. Embedded certificates will be a feature of Banias processors next year. What are the downsides? You can count them. The business of ownership of a device suddenly becomes very important indeed - your PC is tagged at birth, and your choice of operating system or browser is contingent on the generosity of the certification authority." Read the report at TheRegister.
Microsoft is undergoing a major cultural shift in the way it deals with security, but it has come much later than it should have, is the consensus at the TechEd conference in Brisbane. In the meantime, web servers and corporate PCs are at risk from vulnerabilities in the popular Apache server software and in a component of Microsoft's Windows 2000.
A security expert makes the case that Windows' architecture encourages insecure applications and is vulnerable to the 'Shatter Attack' but Microsoft disagrees. Read about it at ZDNews.
"This paper presents a new generation of attacks against Microsoft Windows, and possibly other message-based windowing systems. The flaws presented in this paper are, at the time of writing, unfixable. The only reliable solution to these attacks requires functionality that is not present in Windows, as well as efforts on the part of every single Windows software vendor." Read the paper over at Tombom.co.uk. In the meantime, another flaw affects Windows 2000, Linux and MacOSX.
Why Microsoft's Palladium project threatens to send Linux and open-source into exile: "Unless Microsoft signs a particular Linux kernel, it will almost certainly refuse to run on Palladium-equipped hardware." Read the editorial at SecurityFocus.
The Sun-backed group will unveil the detailed workings of their Liberty Alliance specification--leading the way to build "single-sign-on" Web sites and software. Read the report at ZDNews.
"A security mailing list has alerted Apple's OSX users to a program that could let a hacker piggyback malicious code on downloads from the company's SoftwareUpdate service." Read the report at ZDNews.
Following widespread skepticism of Microsoft's motives for developing its trusted computing platform, the software giant this week moved to reassure the software community that Palladium will not be limited to Microsoft's platforms. Read the report at ZDNews.
From TheRegister: "Ross Anderson of Cambridge Uni has published a lengthy and informative paper, FAQ on Palladium, the Trusted Computing Platform Alliance, their relationship and their implications."
ExtremeTech features a series of articles regarding Microsoft's new security chip, codenamed Palladium. It seems that Intel, AMD and even National are part of this plan, while it is not clear if alternative operating systems will be given specs for this technology. Even if these OSes will choose to not use the chip, Microsoft is quite likely to advertise the "feature" as a Good Thing (TM) for the users (which may or may not be true), making the other OSes to sound unsecure.
"Microsoft wants to change the fundamental architecture of the PC, adding security hardware prior to the release of the next generation of its Windows operating system around 2004, according to a media report and an analyst briefed by the company." Read the article at InfoWorld.
"In a sea change of philosophy, Microsoft Corp. is working to put security ahead of not just features and functionality, but also legacy application compatibility. In a meeting with eWEEK last week, several Microsoft executives responsible for security software development said the company is also changing the way it ships some products to make them safer and will begin developing its own line of security software." Read the rest of the report at ExtremeTech. In related news, a pair of Office XP bugs were uncovered while more security updates can be found here.
A serious hole in Windows NT and Windows 2000 allows any user (even "guest") to gain complete control of the machine using the standard documented debugging interface. An article on ExtremeTech gives details and links to patches and sample exploits. To date, Microsoft has not commented on the vulnerability.
"The software bug--known as a buffer overflow--caused key memory-management functions in the zlib compression library to fail, a condition that could allow a smart attacker to compromise Linux computers over the Internet, said Dave Wreski, director for open-source security company Guardian Digital". Read the rest of the report at News.com.
IBM developerWorks has come out with three articles on OpenSSH, a free version of the SSH protocol suite for network connectivity. The first discusses RSA/DSA authentication, the second introduces ssh-agent and keychain, while the last goes over Agent forwarding and keychain improvements. Its a great resource for someone who needs some encryption.
"Microsoft Corp. is going on the offensive to restore confidence in its .Net platform after a security consulting firm claimed it had found a critical flaw in a new compiler Microsoft released earlier this week. In an unusual move, a member of the team that developed the product in question--the Visual C++.Net compiler--posted a lengthy message to the Bugtraq security mailing list excoriating Cigital Inc. for making what Microsoft deems to be false claims in its press release and inciting unnecessary concerns about the security of .Net applications built with the compiler. Brandon Bray, a member of the product's development team said: 'The allegation that applications compiled with Visual C++'s /GS switch somehow expose themselves to more attacks is unfounded and patently false.'" Read the rest of the story at ExtremeTech.