Privacy, Security Archive

According to a report published November 12 by Aberdeen Group, "Security advisories for open source and Linux software accounted for 16 out of the 29 security advisories - about one of every two advisories - published for the first 10 months of 2002 by Cert." Read the report at NewsForge.

"Palladium is not secure Windows. Not exactly. Nor is it a standalone OS. Not exactly. Manferdelli presents it as a sort of parallel OS that is securely ringfenced from Windows, but which doesn't run all the time, and which actually you wouldn't want to run all the time. It works like this..." Read the rest of the article at TheRegister.

Based on the number of vulnerabilities announced in 2002 that affect operating systems, the SCO Unix, Apple Macintosh and Compaq Tru64 Operating Systems appear to be the least prone to hacker attack and damage from viruses and worms. This is one of the startling conclusions of the end-of-October 2002 analysis of digital attacks to be released on 1st November.

Critics have slated a Microsoft document on its upcoming Palladium digital rights software as containing several outright "lies". The 1,500-word frequently asked questions (FAQs) paper gives some details about how Palladium will work and how it relates to digital rights management and the Trusted Computing Platform Alliance. Read the rest at VNUnet. Update: Another article about Palladium, here.

Ramen, Slapper, Scalper and Mighty may sound like Santa's new team of reindeer, but they are creatures far lower down the evolutionary ladder -- and much less welcome. These are worms that have infiltrated Linux servers in recent months, commandeering the servers for use in distributed denial-of-service attacks. Linux enthusiasts who once believed they were less vulnerable to attack than Microsoft users have begun to wonder whether they were overly optimistic. Read the article at NewsFactor.

"Intel is to embed certificates into the processor. Embedded certificates will be a feature of Banias processors next year. What are the downsides? You can count them. The business of ownership of a device suddenly becomes very important indeed - your PC is tagged at birth, and your choice of operating system or browser is contingent on the generosity of the certification authority." Read the report at TheRegister.

A security expert makes the case that Windows' architecture encourages insecure applications and is vulnerable to the 'Shatter Attack' but Microsoft disagrees. Read about it at ZDNews.

"This paper presents a new generation of attacks against Microsoft Windows, and possibly other message-based windowing systems. The flaws presented in this paper are, at the time of writing, unfixable. The only reliable solution to these attacks requires functionality that is not present in Windows, as well as efforts on the part of every single Windows software vendor." Read the paper over at Tombom.co.uk. In the meantime, another flaw affects Windows 2000, Linux and MacOSX.

The Sun-backed group will unveil the detailed workings of their Liberty Alliance specification--leading the way to build "single-sign-on" Web sites and software. Read the report at ZDNews.

"A security mailing list has alerted Apple's OSX users to a program that could let a hacker piggyback malicious code on downloads from the company's SoftwareUpdate service." Read the report at ZDNews.

From TheRegister: "Ross Anderson of Cambridge Uni has published a lengthy and informative paper, FAQ on Palladium, the Trusted Computing Platform Alliance, their relationship and their implications."

ExtremeTech features a series of articles regarding Microsoft's new security chip, codenamed Palladium. It seems that Intel, AMD and even National are part of this plan, while it is not clear if alternative operating systems will be given specs for this technology. Even if these OSes will choose to not use the chip, Microsoft is quite likely to advertise the "feature" as a Good Thing (TM) for the users (which may or may not be true), making the other OSes to sound unsecure.

"In a sea change of philosophy, Microsoft Corp. is working to put security ahead of not just features and functionality, but also legacy application compatibility. In a meeting with eWEEK last week, several Microsoft executives responsible for security software development said the company is also changing the way it ships some products to make them safer and will begin developing its own line of security software." Read the rest of the report at ExtremeTech. In related news, a pair of Office XP bugs were uncovered while more security updates can be found here.

A serious hole in Windows NT and Windows 2000 allows any user (even "guest") to gain complete control of the machine using the standard documented debugging interface. An article on ExtremeTech gives details and links to patches and sample exploits. To date, Microsoft has not commented on the vulnerability.