Language Selection

English French German Italian Portuguese Spanish

Netscape laid wide open by security flaw

Filed under
Security

Two separate imaging-related security flaws have surfaced in AOL's Netscape browser and in the KDE desktop environment for Unix and Linux, according to security experts. Both could allow an attacker to plant malicious code on a user's system when a specially crafted image is viewed by an affected application, such as a browser, e-mail program or stand-alone viewer, researchers said.

Vulnerabilities in image-viewing components are among the easiest to exploit, particularly when they affect Internet-connected applications such as browsers and email programs, say experts. "If the libraries are used by other types of client applications, where the user has to download a malicious file and open it in a specific application, it complicates the attack a bit," said Thomas Kristensen, CTO of security firm Secunia.

The flaw in Netscape, affecting versions 6.x and 7.x, involves a boundary error in the way Netscape extension 2 blocks handle gif images, according to Internet Security Systems, which disclosed the flaw last month; the bug was patched in Mozilla-based products in March.

But the gif flaw also affects Netscape, and is unpatched, Secunia said in an advisory published on Tuesday. The vulnerability has been confirmed in version 7.2 and also reported in version 6.2.3 but is likely to affect other versions as well, Secunia said.

A separate vulnerability affects KDE's kdelibs, specifically an error in the kimgio component when processing PCX image files. Kimgio is used in KHTML-based Web browsers as well as KDE imaging applications such as kpresenter and ksnapshot, meaning that if an image crafted to exploit the flaw were viewed in any of these applications, they could allow an attacker to execute malicious code. The flaw affects KDE versions 3.2 to 3.4, Secunia said.

A patch is available from KDE and from various Linux distributors, including Suse, Gentoo and Debian.

Full Story.

More in Tux Machines

What Your CIO Needs to Know About Open Source

Today’s businesses are becoming increasingly familiar with the many benefits of open source software. In fact, 74 percent of IT professionals, in the U.S. alone, agree that the software offers better quality of continuity and control than that of proprietary. However, some CIOs are still skeptical about adopting open source software into their IT infrastructure as they’ve grown accustomed to their proprietary software vendors. Read more

Elementary OS Freya 0.3 review

Elementary OS is a Linux desktop distribution that’s being primed as a “fast and open replacement for Windows and OS X.” It’s safe to say that that’s the goal of every Linux distribution. Some distributions have, to a large extent, succeeded, while some are partially or completely misguided. Elementary OS, even though it’s still just at version 0.3, belongs to the first group. Some of the design decisions make it slightly painful to use, but as a unit, the distribution is moving in the right direction. Will it ever get to the point where it replaces Windows and OS X for all users? No, because there’ll always be those that love Windows and Mac OS X no matter what. And there are still applications that have no real alternatives in Linux. Read more

Evolving KDE: Lehman’s Laws of Software Evolution In The Community

The board of KDE eV has launched a new initiative to ensure that KDE remains awesome and relevant for the foreseeable future. Unlike previous approaches it is not a point-in-time solution, it is a continuous process of improvement. And it is a good thing. Previously, I have written/spoken a lot about the role of Brooks’ Law in the context of Free Software. Brooks’ Law teaches us to be careful about the management of growth in our communities. Especially treated in consideration with the grossly under appreciated Conway’s Law. There are, of course, other laws of Software Engineering that apply to Free Software development. Read more