Language Selection

English French German Italian Portuguese Spanish

Netscape laid wide open by security flaw

Filed under
Security

Two separate imaging-related security flaws have surfaced in AOL's Netscape browser and in the KDE desktop environment for Unix and Linux, according to security experts. Both could allow an attacker to plant malicious code on a user's system when a specially crafted image is viewed by an affected application, such as a browser, e-mail program or stand-alone viewer, researchers said.

Vulnerabilities in image-viewing components are among the easiest to exploit, particularly when they affect Internet-connected applications such as browsers and email programs, say experts. "If the libraries are used by other types of client applications, where the user has to download a malicious file and open it in a specific application, it complicates the attack a bit," said Thomas Kristensen, CTO of security firm Secunia.

The flaw in Netscape, affecting versions 6.x and 7.x, involves a boundary error in the way Netscape extension 2 blocks handle gif images, according to Internet Security Systems, which disclosed the flaw last month; the bug was patched in Mozilla-based products in March.

But the gif flaw also affects Netscape, and is unpatched, Secunia said in an advisory published on Tuesday. The vulnerability has been confirmed in version 7.2 and also reported in version 6.2.3 but is likely to affect other versions as well, Secunia said.

A separate vulnerability affects KDE's kdelibs, specifically an error in the kimgio component when processing PCX image files. Kimgio is used in KHTML-based Web browsers as well as KDE imaging applications such as kpresenter and ksnapshot, meaning that if an image crafted to exploit the flaw were viewed in any of these applications, they could allow an attacker to execute malicious code. The flaw affects KDE versions 3.2 to 3.4, Secunia said.

A patch is available from KDE and from various Linux distributors, including Suse, Gentoo and Debian.

Full Story.

More in Tux Machines

Graphics: Vulkan and Vega M

  • Vulkan Virgl Has Kicked Off For Supporting This Graphics/Compute API Within VMs
    Of the hundreds of projects for this year's Google Summer of Code, there are many interesting GSoC 2018 projects but one of those that I am most excited for is Vulkan-Virgl for getting this modern API supported with hardware acceleration by guest virtual machines. As implied by the name, this effort is based upon the Virgl project started by David Airlie and originally tasked with getting OpenGL acceleration to guest VMs using a fully open-source Linux driver stack. Virgl has been in good shape for a while now with OpenGL, while this summer the hope is to get the Vulkan API support going for opening up VMs to using this high-performance graphics and compute API.
  • AMDVLK Driver Lands Half-Float Additions, Many Other Improvements
    There's been another weekly-ish public code push to the AMDVLK open-source AMD Vulkan Linux driver stack and this time around it's heavy on feature work. There has been a fair amount of changes pertaining to half-float (FP16) support including support for the AMD_gpu_shader_half_float extension, prepping for VK_AMD_gpu_shader_half_float_fetch, FP16 interpolation intrinsics and register settings, and more.
  • Vega M Graphics On Intel Kabylake G CPUs Are Beginning To Work Under Linux
    We have been covering the Linux driver upbringing of "Vega M" for the Vega/Polaris graphics found in select newer Intel "Kabylake G" processors. The code is still in flight before it will work in all released versions of the Linux driver components, but for those willing to build the code or rely upon third party repositories, Vega M is now working on Linux. As I have covered in various past articles, the open-source driver support for Radeon Vega M is queued into DRM-Next for the upcoming Linux 4.18 kernel cycle, Mesa 18.1 albeit with new hardware I always recommend using the latest Git (current Mesa 18.2), and there are also binary GPU microcode files needed too.

Plasma 5.13 – Amazing Tux, How Sweet Plasma

Plasma 5.13 is (going to be) a very nice release. It builds on the solid foundation that is the LTS edition, and adds cool, smart touches. The emphasis is on seamless integration of elements, which is what separates professionals from amateurs. It’s all around how the WHOLE desktop behaves, and not individual programs in isolation. And Plasma is making great strides, offering a polished version of an already mature and handsome product, with extra focus on fonts, media and browser connectivity and good performance. There are some rough patches. Apart from the obvious beta issues, those goes without saying, KDE Connect ought to be a true multi-phone product, the network stack really needs to be spotless, and that means full Microsoft Windows inter-operability, Spectacle should allow for configurable shadows and alpha channel, and I want to see if the decorative backend has been cleaned up, i.e. can you search and install new themes and icons without encountering useless errors and inconsistencies. But all in all, I’m quite impressed. The changes are big and noticeable, and above all, meaningful. You don’t just get features for the sake of it, you get things that improve the quality and consistency of the desktop, that maximize fun and productivity, and there’s deep thought in orchestrating it all together. It ain’t just a random bunch of options that happen to work. I like seeing patterns in things, and I’m happy when there’s functional harmony. This spring season of distro testing hasn’t been fun, and Plasma 5.13 is balm for my weary wrists, so hurting from all that angry typing. More than worth a spin, and highly recommended. Full steam on, Tuxers. Read more Also: This week in Usability & Productivity, part 20

Sad News! Development Stopped for Korora and BackSlash Linux

It seems more and more small distributions are facing a had time. Recently we saw the crisis at Void Linux. Now we have two more small Linux distributions calling it quit, albeit temporarily. Read more

Android Leftovers