security

LinuxBIOS talk video recording from FOSDEM 2007

LinuxBIOS logo

Highly recommended for anybody who might be even remotely interested in LinuxBIOS:

There's a video recording (OGG, 234 MB) of the LinuxBIOS talk at FOSDEM 2007 by LinuxBIOS-founder Ron Minnich.

The talk is about LinuxBIOS, its history, how it works, what the main challenges are, where it's used today and what the future will likely hold. Watch it, you won't regret it.

And if you want to know more, or maybe even consider contributing, head over to linuxbios.org or contact the mailing list.

OpenOffice / OpenDocument and MS Office 2007 / Open XML security

Interesting paper from the PacSec 2006 security conference: OpenOffice / OpenDocument and MS Office 2007 / Open XML security (PDF)

Not too surprising when you come to think of it, there are tons of possibilities to embed various kinds of malware in the new office document formats. Also, you always have the risk of leaving sensitive metadata in there... If you publish stuff, you better convert to PDF before. But even that might leave sensitive data in the PDF, mind you!

Oh, and one nice detail you might enjoy:

  • OpenDocument specification: 700 pages
  • Microsoft's Open XML specification (final draft): 6036 pages!

And that doesn't even describe all of the format (e.g. VBA macros are missing)! No further comment required...

Serious remotely exploitable hole in GnuPG

Just in case you haven't heard of this yet: GnuPG <= 1.4.5 contains a remotely exploitable security issue which has been fixed in 1.4.6.

You should really upgrade ASAP, as this problem can (theoretically) occur when GnuPG decrypts/checks encrypted email messages/signatures (for example).

If you're running Debian unstable: apt-get install gnupg

Famous Unsolved Codes and Ciphers

Here's a nice list of Famous Unsolved Codes and Ciphers.

Makes an interesting read for a rainy day... Or if you want to give one of the codes a try and solve it, go ahead, and let us know the results :-)

(via joatBlog)

NVIDIA Binary Graphics Driver Root Exploit

A security advisory was released today which warns about a severe security issue in the binary-only NVIDIA drivers:

The NVIDIA Binary Graphics Driver for Linux is vulnerable to a
buffer overflow that allows an attacker to run arbitrary code as
root. This bug can be exploited both locally or remotely (via
a remote X client or an X client which visits a malicious web page).
A working proof-of-concept root exploit is included with this
advisory.

The only possible solution (as NVIDIA still hasn't fixed the issue, although they know about it since 2004):

Disable the binary blob driver and use the open-source "nv" driver that is included by default with X.

Yes, you won't have 3D acceleration any more if you do that. Yes, that sucks. Complain to NVIDIA that they don't provide documentation so that free drivers can be written.

Luckily I stopped using the NVIDIA binary-blob quite a while ago, and I don't intend to ever use it again. This exploit clearly shows me that that's a good decision. For now, I'll have to live with the fact that I must use software-rendering for 3D (which is slow). When I buy my next computer it won't have an NVIDIA card, that's for sure.

But maybe there's hope. Maybe, just maybe, NVIDIA releases proper documentation one day (but don't hold your breath).

Alternatively, I just learned about the nouveau project: a project which aims at producing Open Source 3D drivers for nVidia cards. I don't know what the current status is and whether it's usable already, but this is definately a project which is worth trying out and worth supporting!

(via Kerneltrap)

Syndicate content