Language Selection

English French German Italian Portuguese Spanish

Netscape laid wide open by security flaw

Filed under
Security

Two separate imaging-related security flaws have surfaced in AOL's Netscape browser and in the KDE desktop environment for Unix and Linux, according to security experts. Both could allow an attacker to plant malicious code on a user's system when a specially crafted image is viewed by an affected application, such as a browser, e-mail program or stand-alone viewer, researchers said.

Vulnerabilities in image-viewing components are among the easiest to exploit, particularly when they affect Internet-connected applications such as browsers and email programs, say experts. "If the libraries are used by other types of client applications, where the user has to download a malicious file and open it in a specific application, it complicates the attack a bit," said Thomas Kristensen, CTO of security firm Secunia.

The flaw in Netscape, affecting versions 6.x and 7.x, involves a boundary error in the way Netscape extension 2 blocks handle gif images, according to Internet Security Systems, which disclosed the flaw last month; the bug was patched in Mozilla-based products in March.

But the gif flaw also affects Netscape, and is unpatched, Secunia said in an advisory published on Tuesday. The vulnerability has been confirmed in version 7.2 and also reported in version 6.2.3 but is likely to affect other versions as well, Secunia said.

A separate vulnerability affects KDE's kdelibs, specifically an error in the kimgio component when processing PCX image files. Kimgio is used in KHTML-based Web browsers as well as KDE imaging applications such as kpresenter and ksnapshot, meaning that if an image crafted to exploit the flaw were viewed in any of these applications, they could allow an attacker to execute malicious code. The flaw affects KDE versions 3.2 to 3.4, Secunia said.

A patch is available from KDE and from various Linux distributors, including Suse, Gentoo and Debian.

Full Story.

More in Tux Machines

today's leftovers

  • Free live-booting distro DVD with LU&D #162
    A brand new issue of Linux User & Developer hits the high street and the app stores today – we’ve done something a little different for you this time.
  • Russian government to switch to desktop Linux?
    The Russian government is reported to be contemplating dropping Microsoft Windows and adopting Linux as the operating system for agency PCs according to its internet czar, German Klimenko.
  • The Linux Foundation's big plan to speed up storage, networking
    The Linux Foundation continues to think big. It became a hub for containers by spearheading the Open Container Project and the Cloud Native Computing Foundation, and it has pushed to make APIs self-standardizing. Now, it's kicked off yet another industry-wide open source initiative: the Fast Data Project (Fd.io). The idea of "an I/O services framework for the next wave of network and storage software" (per the Foundation) may not sound as vital as protecting core Internet infrastructure or making it simpler for Web server admins to support HTTPS. But on closer inspection, FD.io is in line with the Foundation's ambitions to nurture the future Web.
  • ownCloud Desktop Client Updated with HiDPI Improvements, Better Syncing
    Today, February 10, 2016, ownCloud Inc. was proud to announce the release and general availability of new versions for its ownCloud Desktop and ownCloud Android clients.
  • LibreOffice 5.1 Released with Boatload of Changes
  • Ubuntu Core Now Supports Intel NUC Mini PC
    Canonical has this week announced that the Ubuntu Core now supports the Intel NUC DE3815TY mini PC after working together with Intel the company has now created a standard platform for developers to test and create x86-based IOT solutions using snappy Ubuntu Core.
  • 6 reasons to blog in Markdown with Jekyll
    GitHub pages is a free offering that can host your Jekyll blog for free. It also takes care of generating static HTML files from your Markdown text files, so there's no need to install anything on your computer. You can also use Jekyll with your own domain name (if you have one).

Education and Open Access

  • UNICEF Seeks World-Changing Open Source Technologies
    United Nations to fund startups to develop open source tech to improve the lives of vulnerable children and civilians
  • UCLA just open-sourced a powerful new image-detection algorithm
    Image recognition has become increasingly critical in applications ranging from smartphones to driverless cars, and on Wednesday UCLA opened up to the public a new algorithm that promises big gains. The Phase Stretch Transform algorithm is a physics-inspired computational approach to processing images and information that can help computers "see" features of objects that aren't visible using standard imaging techniques. It could be used to detect an LED lamp's internal structure, for example -- something that would be obscured to conventional techniques by the brightness of its light. It can also distinguish distant stars that would normally be invisible in astronomical images, UCLA said.
  • Open-source textbooks gain in push for college affordability [Ed: same as below]
  • Open-Source Textbooks Gain in Push for College Affordability
    The standard textbook for Fundamentals of General Chemistry I at the University of Connecticut has a list price of $303. For students who use the version professor Edward Neth is preparing for the fall semester, the cost will be zero. An early adopter of open source textbooks, Neth said he turned to the new technology out of frustration with spiraling prices of commercial textbooks. "It's seeing the costs go up every semester and almost feeling powerless," Neth said.
  • Zika articles made open-source to accelerate research
    Nature, the Lancet and many other medical publishers and researchers have announced that all Zika-related scientific articles will be published freely in the wake of the recent outbreak.

Development News

  • New SourceForge Owners Start Trust Repair
    SourceForge Media announced the termination notice with a promise of other policy changes coming soon. DevShare was an opt-in revenue-sharing program for developers that was started in 2013. The program attempted to give open source software developers a monetizing stream by bundling selected software titles with the free downloads. It garnered negative reactions because projects hosted on SourceForge could bundle adware with project installers.
  • SourceForge Attempts to Rebuild its Integrity
    There was a time when SourceForge was the defacto default standard open-source code repository. That time is not now - as Github and mis-steps at SourceForge have eroded both the mind and market share that SourceForge once had.
  • IBM Bequeaths the Express Framework to the Node.js Foundation
    The Node.js Foundation has taken the Express Node.js framework under its wing. Express will be a new incubation project for the Foundation. IBM, which purchased Express maintainer StrongLoop last September, is contributing the code.
  • Data analysis of GitHub contributions reveals unexpected gender bias
    With more than 12 million users, GitHub is one of the largest online communities for collaborating on development projects. Now a team of researchers has done an exhaustive analysis of millions of GitHub pull requests for open source projects, trying to discover whether the contributions of women were accepted less often than the contributions of men. What they discovered was that women's contributions were actually accepted more often than men's—but only if the women had gender-neutral profiles. Women whose GitHub profiles revealed their genders had a much harder time.

today's howtos