Security

Security News Roundup: Digital Dark Age may doom some data

This week's security events include news of yet another new version of Opera to resolve discovered critical vulnerabilities in the Web browser, VMware releasing a patch for ESX Server, news of SonicWall fixing vulnerabilities in its router operating system, and a warning that a looming "Digital Dark Age" may doom some data.

New version of Opera resolves critical vulnerabilities

A new version of Opera has been released which resolves a critical vulnerability discovered by security specialist Aviv Raff.

Apparently, certain parameters passed to Opera's History Search are not properly sanitized. As a result, scripts can be injected into the History Search results page, where they will run with elevated privileges. The result is an arbitrary execution of code. In addition, a Cross Site Scripting vulnerability in the browser was also fixed.

Users are advised to update immediately. You can check out the Opera 2.6.2 Changelog here, or download it from here.

VMware patches ESX Server

VMware have released updates for its flagship ESX Server that eliminates a total of three critical vulnerabilities. Problems include a denial of service flaw, as well as a buffer overflow and arbitrary injection of code.

According to heise Security:

These include an error in the SNMPv3 implementation that has been known about since the middle of the year. This nullifies the authentication function, enabling attackers to access the Server. The update also eliminates a buffer overflow in the libtiff graphics library through which arbitrary code can be injected and executed by means of crafted TIFF files. Installing the update also eliminates an error in the libxml2 library that can crash applications accessing it.

You can check out the full VMware Security Advisory here.

SonicWall fixes vulnerabilities in its router

SonicWall has released an update for its SonicOS Enhanced router OS for various models of the SonicWALL TZ devices. A number of known issues were resolved, involving content filtering, logging and networking.

The networking issue could result in DNS attacks and cache poisoning while the other critical issue involves user interaction - via means of visiting a malicious Web page to exploit. Due to insufficient sanity checks, an attacker is able to craft a URL that will trigger an error and simultaneously inject a malicious script. The result is that script injection occurs in the security context of the target domain, potentially resulting in further compromise.

You can read more from the Zero Day Initiative advisory here.

Digital Dark Age may doom some data

I came across this article from the News Bureau of the University of Illinois, "'Digital Dark Age' may doom some data." The poser: whether a framed photograph or a 10-megabyte digital phone file stands a better chance of surviving 50 years from now.

Now, the main thrust of the article was the assertion by assistant professor Jerome P. McDonough that the ever changing operating platforms and file formats could result in digital data that could no longer be accessible. This could be as a result of forced obsolescence -- due to the influence of proprietary vendors, for example -- or simply as a result of too many formats.

What really caught my attention here was the possibility for deliberate destruction of data.

"With the current state of the technology, data is vulnerable to both accidental and deliberate erasure," he said. "What we would like to see is an environment where we can make sure that data does not die due to accidents, malicious intent or even benign neglect."

I leave you with some questions here: As a security professional, what measures do you take against the above scenario? Are you yourself in a position where it is possible to irrecoverably wipe out corporate data? Finally, is deliberate data erasure by disgruntled employees entirely preventable?

Feel free to to discuss the various security events here.

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

8 comments
Wunderbarb
Wunderbarb

The article highlights only the problem of obsolete file format. There is another problem: many physical support tape, Hard drives, or recordable DVD have a limited time life. Most of them would never survive 50 years. Thus, even if you keep old computers running software to read obsolete format will the actual bits on storage still have the recorded values?

apotheon
apotheon

I basically don't trust archived storage media, in and of itself. I prefer to keep everything on a live system -- more than one live system, in fact. I may [b]also[/b] back some up to archived storage media, but I certainly don't rely on that alone to ensure the continued availability of my data.

paulmah
paulmah

This week?s security events include news of yet another new version of Opera to resolve discovered critical vulnerabilities in the Web browser, VMware releasing a patch for ESX Server, news of SonicWall fixing vulnerabilities in its router operating system, and a warning that a looming ?Digital Dark Age? may doom some data.

Michael Kassner
Michael Kassner

Having been around since punched cards, I've done my share of updating to the next storage material. So I consider this a very significant issue. A for instance would be if the .pdf format all of a sudden disappeared, I'd be in deep deep trouble. Being anal, I don't like that. Yet, I'm not sure what for sure options are available, except to keep archival paper copies of everything. I'd love to hear other opinions on this subject.

apotheon
apotheon

1. Keep a complete set of software needed to access certain file types stored somewhere, including everything needed to install a PDF reader (for instance) and the OS on which it runs. 2. Yes, you can keep paper archives. 3. Save everything in multiple file types -- such as plain text, PDF, and XHTML. I favor saving everything I possibly can in plain text files. Plain text formatting such as you get with XHTML provides at least two benefits: you get formatting and you get a file type that is readable with nothing but the simplest of text editors. With plain text formatting like LaTeX, you get those two benefits, plus the ability to automatically translate the stuff into other file formats like PDF, PostScript, et cetera. Also . . . I prefer using programs with open file formats. The more open, the better. If they're open, the worst case scenario would be that you might have to pay someone to write a program to render or translate the format (or do it yourself). If it's a closed format, you might just be screwed.

paulmah
paulmah

One of the examples that came to mind was Microsoft's attempt to switch users over to the newest format of its Office file format. Then again, the counter-argument is that it cost a lot to be backwards compatible with all previous versions. Would be interesting to hear some viewpoints on this matter.

apotheon
apotheon

That's a common problem for software maintained by proprietary software vendors. Worse yet, many, many people use something like MS Word documents when they really don't need anything more than plain text, thus geometrically increasing file sizes, opening themselves up to viruses, and endangering future file format compatibility, for no good reason at all. If I absolutely [b]must[/b] have a word processor document format, I tend to use RTF. The rest of the time, for text documents, I use text files.

pgit
pgit

To a one, the MS office users I support had not noticed their default format had changed. The way they found out was when a problem arose, such as sending documents to a recipient who complained they were corrupted or otherwise couldn't be opened. Of course the recipients were using older, unchanged Office products that didn't know of the .docx format. It was a great lesson, from my perspective, as to what's wrong with MS and what's right about open source. Won a couple converts to Linux over that one. (though folks already leaning that way, anyway)

Editor's Picks