Yahoo displays warnings about malware links

May 7, 2008 – 4:54 AM

Yahoo is to start flagging links to sites that may contain dangerous content. Google has been warning users if a potentially dangerous website is behind the link in the list of hits displayed for some time now. Yahoo is following suit by marking websites that could possibly infect visitors with malicious code in its list of hits.

Yahoo is using McAfee’s SiteAdvisor to identify malicious websites. The Yahoo version, called SearchScan, will display a warning in the list of hits if potentially dangerous websites are found that fall into the categories dangerous downloads, risk of being hacked and unsolicited e-mails – indeed, Yahoo goes so far as to suppress from the hit list sites that are categorised as risk of being hacked.

Yahoo

As with most of the currently available link assessment systems such as McAfee’s SiteAdvisor, Finjan’s SecureBrowsing, and CAE’s LinkAdvisor, users should not automatically assume that links not flagged as malicious are always harmless. The flagging of suspect websites can help reduce the number of people who become infected with a Trojan via security vulnerabilities in their browser or add-ons when browsing the web. Importantly, the basic “red triangle” warning appears by a suspect listing in the Yahoo results whether or not JavaScript is enabled, so secure browsing does not prevent the message getting through. However, the information bubble and further details are only available if JavaScript is enabled.

Source: Heise Security

Posted in Internet, Security, Software | No Comments

PHP Multibyte Shell Command Escaping Bypass Vulnerability

May 7, 2008 – 4:41 AM

In PHP there exist two functions to escape shell commands or arguments to shell commands that are used in PHP applications to protect against shell command injection vulnerabilities.
– escapeshellcmd()
– escapeshellarg()

Unfortunately it was discovered that both functions fail to protect against shell command injection when the shell uses a locale with a variable width character set like GBK, EUC-KR, SJIS, ..

This can lead to arbitrary shell command injection vulnerabilities in PHP applications believed to be safe. In addition to that exploiting this problem in PHP functions that use this shell escaping internally allows safe_mode and disable_functions bypass.

Read the rest of this story…

Posted in Coding, PHP, Security | No Comments

PHP Weak Random Number Seed Vulnerability

May 7, 2008 – 4:38 AM

Since version 4.2.0 PHP automatically seeds the random number generators on the first usage of rand() and mt_rand(). This is done with the help of the GENERATE_SEED() macro.

Unfortunately it was discovered that the GENERATE_SEED() macro contains several problems that can lead to a weaker seed than expected. In the worst case the seed is directly predictable, which allows to predict all random numbers from the outside.

NOTICE: Neither rand() nor mt_rand() produce cryptographically secure random numbers and should therefore never be used for such applications.

ATTENTION: This vulnerability was not mentioned in the security changelog of PHP 5.2.6

Read the rest of this story…

Posted in Coding, PHP, Security | No Comments

Do not Underestimate Physical Security

May 6, 2008 – 7:04 PM

Security in IT is everywhere: firewalls, proxies, anti-[spam|virus], IDS and more! But what about physical security to your IT infrastructure? Read the following story: Peter Gabriel’s web site was off the web due to a server theft! I would like to know how the thieves performed!

Why spend money to protect your resources from network attacks if they are vulnerable to theft (or any other degradations). If it’s easy to steal hardware, criminals will prefer take out the servers and try to grab information later from a safe place.

Reminder:

  • Install the hardware in a dedicated place.
  • Restrict physical access to the hardware to authorized persons only.
  • Monitor access via a CCTV.
  • Log access (bagdes, biometric or card readers)
  • Do not install hardware in the basement not on ground level
  • Select a central place in the building without direct external walls
  • Keep racks closed!
  • Prefer remote management (who’s happy to work between two racks with a notebook on the knees?)

Source: /dev/random

Posted in Hardware, Security | No Comments

Linux Shootout: 7 Desktop Distros Compared

May 6, 2008 – 6:55 PM

We tested openSUSE, Ubuntu 8.04, PCLinuxOS, Mandriva Linux One, Fedora, SimplyMEPIS, and CentOS 5.1. All performed well, and each had at least one truly outstanding feature.

In the last couple of years, desktop-friendly Linux distributions have taken enormous leaps — they’re easier to install, better maintained, and more powerful than ever before. There’s also that many more of them — which means that many more possibilities to sift through.

In this roundup I’ve looked at seven Linux distributions, all mainly aimed at desktop users. Some ought to be household names; some are less widely sung but still worth looking at. All are meant to be top-of-the-line, “throw-and-go” distros for general use, so I paid careful attention to how they behaved on a fairly broad range of hardware — how display, networking, or other default configurations were set to behave both out of the box and after an update (if one was available).

Each of these distributions was installed on five machines:

  • Homebrew AMD Duron 1.1-GHz processor; 1-GB RAM; 80-GB hard disk; Geforce FX5200 128-MB AGP graphics.
  • Lenovo Thinkpad T61 notebook computer; Intel Core 2 Duo 2.2-GHz processor; 1-GB RAM; 80-GB hard disk; nVidia Quadro NFS 140M graphics.
  • Sony VAIO TX series notebook; Intel Pentium R 1.3-GHz processor; 1-GB RAM; 80-GB hard disk; 1366 x 768 widescreen display; Intel 915GM integrated graphics controller.
  • Dell XPS 420; Intel Core 2 Quad 2.4-GHz processor, 3-GB RAM; 160-GB hard disk; 1680 x 1050 widescreen display; ATI Radeon 2600 HD 256-MB graphics.
  • VirtualBox virtual machine with 1-GB RAM and 128-MB video running on Dell XPS 420.

Even if some of the distros shone brighter on the whole than others, most of them did fairly well — and all of them had at least one truly outstanding feature that might be the deciding factor for you. I should also note that many of these distributions either have commercial support options (like Ubuntu) or full commercial versions (openSUSE) available, in case you want to graduate to something a little more aggressively supported.

Read the rest of the story…

Posted in Linux | No Comments

Copyright 2008-2024 PC Sympathy - Entries (RSS) - Sitemap