Tuesday, September 19, 2006

TOC
Ubuntu Security
Summary

I had a nice somewhat poetic post about why I hadn't been posting at all (I wanted to say much, but that's a lie really), and the reasons why I'd be posting more often now. The reason I haven't been posting is because I haven't been making time for it, and the reasons that I would be posting really are just excuses that wouldn't hold enough water to drink from, so I'll skip that.

I think the real reason I haven't been posting is because I never really decided what I wanted this to be. I knew what it couldn't be. It couldn't be a real journal: it's too public and I'm too private. I've seen the stupidity of trying to make a personal journal public, and although that seems to be a value people seem to give to blogs, I don't believe that's where their value lies. I sort of thought that this would be a security blog, and while I see the value in that, I think there two problems I would face. I'm too know to the industry to be able to write long thoughful posts on the subject, and I don't want this to just become a link fest to all the other security blogs out there. Unfortunately these problems actually hold for just about any subject that I might possibly choose to write about in a blog. I have no particular expertise in any one area, and I see no point in creating just another link blog.

My solution? I think I'm probably going to try a hybrid. I do feel that it would be useful for people who are not security inclined and have no interested in subscribing to bugtrac and the like to find information about security issues and vulnerablilities that might pertain to them in one place, so I will try that. I'm also interested in just about any other topic under the sun, and have been trying to use blogs that are written by experts to get as much exposure to as many subjects as I can. I feel that in this age where information is so easy to come by, our sudden urges to specialize into only one area of expertise seems not only foolish, but wasteful as well. Yes, the argument can be made that there is more to know in each subject as they grow, but I don't feel that it justifies studying one area in exvclusion of everything else. In my mind, there is no argument that convince me that it is useless to know something about math, science, history, and any other aubject, even though I am just as guilty as most others at ignoring other areas of study.

I do know that I tend to go on a little, so I've decided that I will employ simple HTML to aide those who are interested in certain section of a post and who would rather not wade through my ramblings on unrelated things. My plan is to include a "table of contents" at the begning of my posts and link the sections through there. I know that the other option is to just make multiple posts, but there's nothing more annoying than visiting a blog, or opening your rss reader to find that someone has posted 10+ new posts in the last half hour and each is a couple of lines long. I will still not be posting from work.

Ubunutu vulnerabilitys
For thos of you using Ubuntu/Kubuntu there have been a couple of vulnerablilities that have been found. At the moment I'm not sure where the CVE's link to, so I'll try to add thos in the future.

There was a vulnerability found in gzip. It did not verify the authenticity of the packages that it unpacks, and so arbirary code can be executed at the users privilege level.
CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337,
CVE-2006-4338

The second is a kernel vulnerability. The kernels in question can be DOS'd by using a special value, when opening SCTP sockets. The ELF loader did not verify the memory layout allowing for the possibility for an attacker to crash the kernel.
linux-source-2.6.10/-2.6.12/-2.6.15 vulnerabilities
CVE-2006-4535, CVE-2006-4538

The last is a Gnutils vulerability."
The GnuTLS library did not sufficiently check the padding of PKCS #1
v1.5 signatures if the exponent of the public key is 3 (which is
widely used for CAs). This could be exploited to forge signatures
without the need of the secret key."
gnutls11, gnutls12 vulnerability
CVE-2006-4790

To be honest, most of this is above my head at my current Linux knowledge, but at some point maybe I'll be able to better explain this stuff.

Summary
I thought I saw a new IE 0-day attack but I've used up the time I set myself before I went to bed, so I'll try to look into that tomorrow. Hopefully my posting will be more consistent, but hey, if not, it won't kill you.