As Linux increasingly hits the enterprise and consumer mainstream, a growing number of security threats are emerging which prey on holes in applications and files managed by desktop users.
On Wednesday of this week, Linux vendors Red Hat, Novell and Mandrakesoft released patches for several vulnerabilities. These threats ranged from the moderate to highly critical, as ranked by Danish security monitoring firm Secunia.
While some focused on network vulnerabilities familiar to any network administrator — such as problems exploiting buffer overflow — several holes were also found affecting common desktop applications and files.
“End users are inundated with applications which haven’t been scrutinized properly,” says Dave Wreski, CEO of open-source Internet security company Guardian Digital and the author of widely used Linux security documentation. “I think you’re going to see an increase in the number of vulnerabilities as more people use Linux.”
For example, the recent round of security advisories issued by Red Hat almost exclusively features patches for applications or file-handling problems rather than core problems with the system logic.
Red Hat announced a patch to a buffer overflow bug in the unarj program, an archiving utility which can extract ARJ-compatible archives.
Without the patch, attackers could create a specially crafted archive which could cause unarj to crash or possibly execute arbitrary code when extracted by a victim. Another unarj bug, a path traversal vulnerability bug, allows attackers to create a specially crafted archive which creates files in the parent directories, and if used repeatedly, overwrite key systems files and programs.
A Red Hat vulnerability was also found in Red Hat’s libtiff package, a library of functions for manipulating TIFF format image files. Without the patch, a user who opens a malicious TIFF file could potentially give attackers an opening to execute arbitrary code.
Another libtiff patch, this one issued by Mandrakesoft, protects against remote exploits permitted by an integer overflow in libtiff. The patch protects against overflows occurring when parsing TIFF files set with the STRIPOFFSETS flag.
One vulnerability found in Novell’s SuSE distribution would allow intruders to launch a local denial-of-service attack using a special type of Acrobat document. The problem is caused by new integer overflows in xpdf document viewer and xpdf clones.
Working on Improvements
At least one vulnerable end-user application still hasn’t been patched. According to a SuSE advisory, the Konqueror Web browser allows Web sites to load pages into a window or tab currently used by another Web site. SuSE is preparing updates to address this issue but hasn’t released them yet.
According to some industry observers, a focus on digging bugs out of end-user applications makes perfect sense — not just as a means of protecting users, but as a method for wresting converts away from Microsoft.
“Because Microsoft end users are already being targeted by everything, [commercial open source vendors] are probably trying to stay ahead of the game,” says Lajos Moczar, president of Colorado Springs, Colorado-based Galatea Information Strategies. “They want to be the ones providing the infrastructure, not just the operating system, and that means taking care of applications too.”
Finding and Fixing
Meanwhile, not surprisingly, security pros continue to find and fix network vulnerability in the major Linux distros.
Red Hat is also offering a patch for a minor application vulnerability first detected in 2003 in Pine, an e-mail user agent. The c-client IMAP client library, as used in Pine 4.44, contains an integer overflow and integer signedness flaw that would allow a malicious IMAP server to crash the application.
Another Red Hat bug affects Mozilla, an extremely popular open-source Web browser, e-mail and newsgroup client, IRC chat client, and HTML editor. (To date, there have been more than 10 million downloads of Mozilla’s Firefox browser, and more than 2 million downloads of the Thunderbird e-mail client.)
Due to a buffer overflow bug in the way Mozilla handles network news transfer protocol (NNTP) URLs, attackers may be able to execute arbitrary code on users visiting malicious Web pages unless the vulnerability is patched.
A SuSE flaw found in the Acrobat Reader shipping with the current distribution, could allow attackers to execute malicious code by handcrafting a special e-mail. The exploit takes advantage of features designed to allow scanning of e-mail style plain text documents for PDFs.
Yet another SuSE flaw would allow malicious persons to launch a denial-of-service attack by inserting deliberate errors into the netfilter data stream. The problem comes from a missing access check in the netfilter communication handling of the “ip” program in the iproute2 RPM.