Even More Security Problems

By Larry Seltzer  |  Posted 2003-03-20 Print this article Print

BEA announced a vulnerability in its WebLogic Server and Express versions 6.0, 6.1 and 7.0, all platforms. The problem, basically a bug in the implementation of an internal protocol used for copying files between servers and supporting developers, could allow unprivileged users to access and modify application source code, system settings, even system files. WebLogic users should apply the patches immediately. The Samba team released patches for a series of bugs that could allow a remote user anonymously to gain su (root) privileges on the server running Samba. This is pretty much a worst-case scenario; Samba administrators, quit those video games and upgrade your servers ASAP. All versions of Samba from 2.0.x through 2.2.7 are affected. Administrators should either upgrade to 2.2.8 or follow instructions in the advisory referenced above in order to limit exposure.

The Linux Kernel team released Version 2.2.25 and a patch for Version 2.4.2x in order to patch a local root exploit in those versions. The kernel team does not believe that the 2.5 series of kernel versions are vulnerable. The announcement from Senior Kernel Boss Alan Cox to the linux-kernel mailing list states that a local user could obtain full privileges, but that a remote exploit was not possible.
On a more academic and theoretical note, a professor and a security officer at Stanford University released a paper on the possibility of using timing attacks against OpenSSL, a very popular open source implementation of the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. In response, the OpenSSL team released an advisory and a patch that should address the problem. Almost all SSL_enabled versions of Apache are affected, so the number of potentially vulnerable systems is large. Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel