Security Week in Review (2008-01-13)

X Update
New versions of X.org were released this week.
http://lists.freedesktop.org/archives/xorg/2008-January/031918.html

The tricky thing with X.org is that it has to run as root, so it gives a local attacker the potential to compromise the machine.

More Vulnerability Reporting
A report was made public last week that once again compares the number of flaws fixed in various things. I think Mark Cox and Window Snyder summed things up pretty well regarding those reports:
http://blog.mozilla.com/security/2008/01/17/read-past-the-headlines-firefox-is-fixed-faster/
http://www.awe.com/mark/blog/200801161200.html

At this point any intelligent reader should notice that these reports need to be taken with a grain of salt, and the real story isn't what's reported, but what one can learn from the data.

Embedded library madness
Right now there has been a bit of news from a company named Palamida. They like to point out all the things that contain embedded copies of various open source projects.
http://www.linuxinsider.com/rsstory/61202.html

Before 2002 this was a fairly common occurrence within a number of open source projects, until there were a number of zlib flaws. This made most project rethink keeping their own local copies of the source and using the system copy instead. This ties in nicely with the above mentioned vulnerability report. More vulnerabilities doesn't always mean less secure.

Clever Tools
So a coworker pointed me at his blog today, which discusses a few really nice tools for those of us in the security world:
http://www.kernel.sg/blog/2008/01/18/running-pfiles-on-a-process-in-linux-to-report-open-files/
http://www.kernel.sg/blog/2008/01/13/psig-for-linux/

These tools should help with the analysis of various bits of software. Figuring out what a piece of malware is doing can always be challenging. Knowing what signals are being trapped along with what files are open can be most useful.