Picture of Jürgen Kreileder

Archive for the ‘Security’ Category

More on Security Announcements

Some people seem to misunderstand what I said about the latest WordPress update.

I, myself, am perfectly able to figure out what was broken and how it was fixed. That’s not the point. I was commenting on the handling of security announcements by the WordPress developers.

I expect to get information about security issues from a central, easy-findable place from any project or product that has public exposure and more than a handful of users. (Yes, I expect that from open source projects too. Look around the net to see how good others handle it.)
Expecting your users to gather information about a problem from forums, blogs, foreign sites, or the source code is simply unprofessional.

The often used argument that more specific information only helps hackers is just plain naïve: WordPress is open source, its code and even nicely formatted svn changesets are freely available on the web. Hackers are not stupid, they’ll find the issues.

Note, I’m not saying you should post sample exploits publicly. Just give enough information that administrators can determine whether their systems are vulnerable and how severe the problem is. Again, go around the net and look how other projects handle security announcements.

Another WordPress Security Update

1.5.2 “Strayhorn” has been released today. The changelog mentions that several vulnerabilities have been fixed but — once again — the developers don’t provide any details! One has to look at the diffs to see what has been fixed.

I hate that kind of silly security by obscurity. Vague vulnerability descriptions are almost useless for administrators, just saying “we’ve fixed some security problems” is even worse!

August 15th, 2005: See this article for a reply to some comments I’ve received.

August 18th, 2005: The WordPress developers seem to have problems with release management too: There are two different 1.5.2 versions, read more in WordPress Security Annoyances.

Debian Packages for J2SE 1.4.2-02

Thanks to Matthias Klose, Debian packages for Blackdown J2SE-1.4.2-02 are available now. Just add something like

deb ftp://ftp.tux.org/java/debian/ sarge non-free

to your /etc/apt/sources.list.

Upgrading is recommended as 1.4.2-02 contains an important security fix.

Blackdown J2SE 1.4.2-02

Blackdown has released J2SE 1.4.2-02 for Linux on x86 and AMD64/EM64T yesterday. The release fixes a security issue (JRE May Allow Untrusted Applet to Elevate Privileges), so make sure you upgrade.

Users of other Java implementations based on Sun’s code should check for updates too.

Antivirus Fun on Inspiron 9300

I’ve bought an Dell Inspiron 9300 last week. I’ll mainly use the machine for Linux and Java development but I’ve kept a small Windows XP partition. More on Linux installation later, here’s a short rant about broken Windows applications:

I didn’t want to use the Symantec tools that came bundled with the system due to previous experiences, so I had to look for another antivirus & firewall solution. After reading a few reviews I decided to try G-Data AntiVirusKit InternetSecurity 2005 first. Installation went smooth but after the next reboot the taskbar didn’t repaint anymore and Explorer was unresponsive. The system was in pretty unusable state.

After booting into Safe Mode, I’ve changed the Data Execution Prevention (DEP) settings to only cover core Windows programs. Another reboot and G-Data started working! Well that’s quite disappointing, x86 processor with No-Execute (NX) and Execute Disable (XD) bits are available for more than two years now and XP SP2 isn’t exactly new either — still G-Data hasn’t managed to fix its code!

Lesson learned: If you have a processor that supports NX or XD (same thing, just different marketing names from AMD and Intel) and you plan to actually take advantage of that feature, you better should check twice which software you’re going to use — especially when using closed-source software. (Linux users should be on the safe side, I haven’t see an application having problems with NX for a long time.)

I’ve removed G-Data AntiVirusKit InternetSecurity 2005 and installed F-Secure Internet Security 2005 which seems to work fine with DEP enabled globally.