On any given week, there's a tug-of-war among the new threats and vulnerabilities spilling out, and the programmers and cops trying to contain them. Last week's struggle had some particularly engaging efforts. On the downside, two big vulnerabilities were found in the Firefox browser, and the Sober.p worm was found to be evading many antivirus scanners. On the upside, Novell took steps to tighten up its Linux operating system, Microsoft unveiled a service for ad hoc security guidance, and Swedis

InformationWeek Staff, Contributor

May 23, 2005

7 Min Read

A Layer Of Security For Linux
In a move to improve the security of applications running in Linux environments, Novell last week said it has acquired Immunix Inc. and its AppArmor software. Financial terms weren't disclosed.

AppArmor is used to prevent applications operating in the Linux environment from being co-opted by viruses, worms, and other malware into doing things they shouldn't. Using application-containment technology, AppArmor keeps applications from "masquerading," or using ill-gotten permissions to do malicious things, says Ed Anderson, VP of product marketing for Novell's platform group.

It offers a layer of protection if Novell's access controls and password protections built into the operating system are compromised. Novell is making AppArmor available with SuSE Enterprise Linux 9 and subsequent versions of the operating system.

Ed Anderson

Ed Anderson

The company's YAST (Yet Another Setup Tool) management software is used to install and configure AppArmor and define what an app is and isn't allowed to do.

Novell decided to acquire Immunix rather than partner with the company for its technology. "A lot of customers are wary about working with smaller companies that don't have the breadth of support," Anderson says. Novell wants to make AppArmor more mainstream by folding it into the company's suite of Linux offerings.

Immunix engineers were instrumental in developing the open-source Linux Security Modules project, a general-purpose framework for access control, Anderson says, and will continue to conduct Linux security research as Novell employees from their lab near Portland, Ore.

-- Larry Greenemeier

Microsoft Adds To Warnings
Microsoft unveiled a security advisory service to plug the gap between public disclosure of a vulnerability and the availability of a patch.

Dubbed Microsoft Security Advisories, the service is a pilot program begun in response to customer requests, says Stephen Toulouse, program manager at the Microsoft Security Research Center. "When we got down to it, in the absence of a bulletin, customers wanted us to provide authoritative guidance on security-related topics," Toulouse says.

Microsoft's security advisories--the first two of which were issued last week--will offer early workarounds for vulnerabilities before a patch is ready. "If there was public vulnerability posted, the advisories could be used to provide guidance on workarounds," Toulouse says.

The advisories, which in some cases will morph into actual bulletins, will follow the general format of the existing security bulletins, because feedback for the latter has been positive and users are familiar with the layout. But the advisories won't come with the severity rankings used for bulletins, which are accompanied by a four-step rating that tops out at "critical."

In some cases, Toulouse says, Microsoft will use the advisories to debunk hoaxes about phony vulnerabilities or to document updates on earlier vulnerabilities that have been patched but are being exploited in new ways.

John Pescatore, VP at market research firm Gartner, says the new service is a good thing. "The more security advice on how to make Windows protected, the better."

-- Gregg Keizer, TechWeb News

Suspected Cisco Thief Nabbed
Police in Sweden have arrested a suspect in connection with the theft of Cisco Systems networking equipment source code last year, the company confirmed last week.

A spokesman for the FBI says the case is ongoing and declined to offer details.

The stolen code was a portion of Cisco's Internetworking Operating System version 12.3. The incident has been a matter of concern because malicious hackers might find flaws in the code that could be exploited to impair Cisco's routers, which handle a significant portion of traffic on the Internet. At the time of the incident, however, Cisco said that the availability of its code didn't pose an increased security risk.

While recently Cisco has been promoting what it calls the Self-Defending Network, its defender in this case has been the network of national and international law-enforcement agencies. "We have worked hard to develop strong partnerships within the international law-enforcement community," an FBI statement said. "In this case, we have been working closely with our international partners to include Sweden, Great Britain, and others. As a result of recent actions, the criminal activity appears to have stopped."

-- Thomas Claburn

Worm Evades Scans
One of the reasons the Sober.p worm continues to spread is because of the way it hides from some antivirus scanners, a Russian security firm says.

Sober.p--also called Sober.s, Sober.o, and Sober.v by various antivirus companies--includes a mechanism that prevents other programs from accessing its files, Kaspersky Lab said last week. That presents problems for some antivirus software.

The tactic has been seen in previous Sobers, but it has been refined so that no applications can access them, according to the firm. If the malicious code can't be accessed, it can't be detected when antivirus software runs scans. Instead, the software must have the means to detect Sober running in memory, then kill those processes.

Several antivirus vendors have posted free detection and deletion tools that can see through Sober's cloak of invisibility, including Panda Software's QuickRemover. Microsoft's Windows Malicious Software Removal Tool, which was updated last week as part of the monthly security bulletin release, also sniffs out Sober.p.

-- TechWeb News

Firefox Holes Outfoxed
The Mozilla Foundation last week posted a release candidate of a security update to its Firefox Web browser that patches a pair of vulnerabilities rated "extremely critical" that were leaked earlier this month.

The Windows, Mac, and Linux versions of Firefox 1.0.4 security update can be downloaded from the Firefox File Transfer Protocol server. Like the three previous updates released this year, 1.0.4 is a bug fix, in this case one that plugs a cross-scripting vulnerability that could let an attacker gain control of a Firefox-equipped computer if its user simply surfs to a malicious site.

Because proof-of-concept code was leaked--as were the vulnerabilities--before a patch was ready, Mozilla recommended that Firefox users either disable JavaScript or lock down the browser so it doesn't install additional software, such as extensions or themes, from Web sites.

The vulnerabilities were discovered by a pair of security researchers who had notified Mozilla earlier in the month but were keeping mum until a patch was written. However, details of the vulnerabilities were leaked by someone close to one of the researchers.

According to security vendor Secunia, which tagged the bugs with its highest "extremely critical" warning--the first time it has used that to describe a Firefox flaw--a hacker can trick the browser into thinking a download is coming from one of the default sites permitted to install software automatically: addons.mozilla.org or update.mozilla.org.

Firefox 1.0.4 is the fourth security update to the browser since the beginning of the year. In that time, Microsoft has released two patches for its Internet Explorer browser.

-- Gregg Keizer, TechWeb News

Telco Act Needs VoIP Security
The Cyber Security Industry Alliance has called on Congress to include recommendations related to securing voice-over-IP technologies as it reviews the 1996 Telecommunications Act.

Paul Kurtz

Paul Kurtz

The pervasiveness of IP-based communication and networking technologies, particularly VoIP, has made the security and integrity of the Internet a national priority, according to the alliance. Voice applications over the Internet are vulnerable to many of the same threats as data traffic, including denial-of-service attacks, worms, and viruses, and these threats could cripple the IT-dependent critical infrastructure, disable VoIP-based emergency systems, and weaken the national response capability in the event of attack, the group says.

"As Congress considers revisiting the Telecommunications Act of 1996, the cybersecurity alliance strongly recommends that the serious implications of VoIP cyberattacks be addressed since they can affect critical government services such as 911 and other emergency first-responder services," executive director Paul Kurtz said in a statement.

The alliance has made a number of recommendations for securing VoIP and has asked Congress to provide support for research into and development of security technologies.

-- Matthew Friedman, Networking Pipeline

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights