This is always one of the things that makes security and Open Source quite the challenge, yet also something positive. This bug was reported to the CUPS project in January, but nobody noticed until last week that it was even there. In a closed source project, a bug such as this would probably go unnoticed, and never be called a security issue. The "many eyes" aspect of Open Source is what got this noticed, and thanks to Secunia, the various interested vendors shipping a vulnerable version of CUPS were able to apply the fix to keep their users secure.
This research paper is quite brilliant, while also being amazingly simply when you really think about it. It's never been a secret that RAM can hold its contents for an extended period of time. It's assumed that it should be possible to inspect RAM under an electron microscope and reveal the previous contents long after a machine has been powered off. The scary thing about this paper is that simply quickly rebooting a machine should make it quite possible to extract previous RAM contents.
While I don't think it's worth building a bomb shelter in your backyard over this, any paranoid tech traveler should be aware of this paper.
I received a question about inspecting computer memory to discover its previous contents. As I recall hearing about this during a lecture in my undergraduate days, I decided to see what Google has to say. Here are the search terms that should return some interesting results: data remanence volatile semiconductor memory
Kernel Local Root
The most exciting thing to happen last week was probably all the attention CVE-2008-0600 got. This flaw could allow a local user to gain root privileges, and things such as SELinux wouldn't stop it. The significant part isn't the local root in itself, but rather that there were working exploits available in the wild. There are always kernel privilege escalation flaws, but there are not always easy working exploits.
A new version of Firefox was released this week, and that means a great deal of my time was consumed by the various things that have to happen regarding such an event. This also means the content is quite slim.
This week Mozilla released a new version of Firefox:
As usual it fixes some rather dangerous flaws.
How Does SELinux Work?
I ran across this article this week. it's not too shabby explaining how SELinux works. It's a decent read for anyone interested in this sort of thing.