Language Selection

English French German Italian Portuguese Spanish

Netscape laid wide open by security flaw

Filed under
Security

Two separate imaging-related security flaws have surfaced in AOL's Netscape browser and in the KDE desktop environment for Unix and Linux, according to security experts. Both could allow an attacker to plant malicious code on a user's system when a specially crafted image is viewed by an affected application, such as a browser, e-mail program or stand-alone viewer, researchers said.

Vulnerabilities in image-viewing components are among the easiest to exploit, particularly when they affect Internet-connected applications such as browsers and email programs, say experts. "If the libraries are used by other types of client applications, where the user has to download a malicious file and open it in a specific application, it complicates the attack a bit," said Thomas Kristensen, CTO of security firm Secunia.

The flaw in Netscape, affecting versions 6.x and 7.x, involves a boundary error in the way Netscape extension 2 blocks handle gif images, according to Internet Security Systems, which disclosed the flaw last month; the bug was patched in Mozilla-based products in March.

But the gif flaw also affects Netscape, and is unpatched, Secunia said in an advisory published on Tuesday. The vulnerability has been confirmed in version 7.2 and also reported in version 6.2.3 but is likely to affect other versions as well, Secunia said.

A separate vulnerability affects KDE's kdelibs, specifically an error in the kimgio component when processing PCX image files. Kimgio is used in KHTML-based Web browsers as well as KDE imaging applications such as kpresenter and ksnapshot, meaning that if an image crafted to exploit the flaw were viewed in any of these applications, they could allow an attacker to execute malicious code. The flaw affects KDE versions 3.2 to 3.4, Secunia said.

A patch is available from KDE and from various Linux distributors, including Suse, Gentoo and Debian.

Full Story.

More in Tux Machines

AMD and FOSS

  • Introducing a New Line of Graphics Cards for “The Art of the Impossible”
  • Free Radeon
    Remember the bad old days when GNU/Linux systems struggled without proper drivers for video-cards? Well, they’re gone with AMD. They’ve produced a very powerful line of powerful graphics cards designed for demanding professionals including those using GNU/Linux.
  • AMD Open Sources Professional GPU-Optimized Photorealistic Renderer
    AMD today announced that its powerful physically-based rendering engine is becoming open source, giving developers access to the source code. nables creators to bring ideas to life through high-performance applications and workflows enhanced by photorealistic rendering. Alongside Radeon ProRender, developers also have access to Radeon Rays on GPUOpen.com, a high-efficiency, high-performance, heterogeneous ray tracing intersection library for GPU, CPU or APU on virtually any platform. GPUOpen is an AMD initiative designed to assist developers in creating ground-breaking games, professional graphics applications and GPU computing applications with superior performance and lifelike experiences, using no-cost open development tools and software.

Linux 4.8 Features and 4.7 Release

Tor: Statement

Seven weeks ago, I published a blog post saying that Jacob Appelbaum had left the Tor Project, and I invited people to contact me as the Tor Project began an investigation into allegations regarding his behavior. Since then, a number of people have come forward with first-person accounts and other information. The Tor Project hired a professional investigator, and she interviewed many individuals to determine the facts concerning the allegations. The investigator worked closely with me and our attorneys, helping us to understand the overall factual picture as it emerged. Read more

Fedora News

  • New Taskotron tasks
    For a while now, Fedora Quality Assurance (QA) is busy with building Taskotron core features and didn’t have resources for additions to tasks that Taskotron runs. That changed a few weeks back when we started running task-dockerautotest, task-abicheck and task-rpmgrill tasks in our development environment. Since then, we are happy with the results of those tasks. We deployed them to the production instance last week. Please note that the results of those tasks are informative only. Let’s introduce the tasks briefly.
  • Fedora Women Day 2016
    Fedora Women Day is celebrated to raise awareness and bring Fedora women contributors together. This is a great time to network with other women in Fedora and talk about their contributions and work in Fedora Project.
  • The Chromium Browser Is Finally Working Its Way Into Fedora
  • Elections Retrospective, July 2016
    The results are in! The Fedora Elections for the Fedora 24 release cycle of FESCo and the Council concluded on Tuesday, July 26th. The results are posted on the Fedora Voting Application and announced on the mailing lists. You can also find the full list of winning candidates below. I would also like to share some interesting statistics in this July 2016 Elections Retrospective.