This week's security events include news of a moderately critical flaw discovered in some Trend Micro products, a free add-on for Mozilla Firefox 3.0 that helps give it a security boost, and news of a major security fix for popular Linux distribution Ubuntu.
Moderately critical flaw discovered in some Trend Micro products
Security services provider Secunia has issued an advisory pertaining to a vulnerability in Trend Micro's OfficeScan and Worry-Free Business Security. Versions 7.0, 7.3, and 8.0 of OfficeScan version 5.0 of Worry-Free Business Security is affected.
... the web-based configuration interface uses a pseudo-random token to identify a logged-on manager, but its entropy is evidently based on the time at which the user logs in. Knowing that, brute-force attackers could predict a valid password authentication token substantially more quickly and then use it to log in to the web interface.
A successful exploitation opens the way to execution of arbitrary code as well as manipulation of the configuration files via the Web interface. At the moment, Trend Micro has only provided updates for OfficeScan 8.0 and Worry-Free Business Security 5.0. Patches for the other affected versions should be available shortly.
This vulnerability is discovered by Dyon Balding, Secunia Research. You can read the security advisory here.
Mozilla Firefox gets security boost
A free add-on for Mozilla Firefox 3.0 have been released that protects against recently disclosed flaws in the DNS, as well as some digital-certificate problems that might arise.
Called Perspective, the extension was developed at the Carnegie-Mellon University's School of Computer Science and College of Engineering. How it works is by the use of "notaries", or intermediate nodes around the Internet, to verify the digital certificate previously spotted for a particular site.
This is particularly useful since many sites might opt to bypass certificate authorities, going for the less expensive self-signed certificates instead. Unfortunately, this will result in Firefox generating an error message which will inevitably result in users who blindly accept certificates with scant regard to authenticity.
Dave Andersen, a computer science professor at the University, and an adviser on the Perspectives project noted, "The fear is that the Firefox policy will force some sites to use Certificate Authorities but will make others not use any security at all."
With Perspective installed, the user is sent directly to a self-signed site without further fanfare if the historical record matches. Otherwise, the browser will display a warning to the Web surfer that the site is suspicious.
You can download Perspective from here.
Ubuntu issues patch for kernel flaw
Linux distributor Canonical has issued an advisory urging users to patch a vulnerability that has been discovered in the kernel of Ubuntu. If left unpatched, the flaw could allow an attacker to either execute malicious code or crash a system. The vulnerability is a local exploit, which means users must first be able to log into a local account.
"It was discovered that there were multiple NULL-pointed function de-references in the Linux kernel terminal handling code," wrote Ubuntu administrators in the email. "A local attacker could exploit this to execute arbitrary code as root, or crash the system, leading to a denial of service."
Multiple versions of Ubuntu are affected, including older versions — all the way from 6.08, to version 8.04 are vulnerable. Other versions of Ubuntu such as Kubuntu, Edubuntu, and Xubuntu will also need to be patched.
You can read the security advisory here for the full list of issues.