[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-team] FW: Very bad news: big security hole in all UN*X
> Security experts have uncovered a new class of vulnerabilities in Unix and
> Linux systems that let attackers take full control of computers.
> These "format string" vulnerabilities started surfacing about two months
> ago, said Elias Levy, a moderator of the Bugtraq computer security mailing
> list. Some of them have lurked for years in basic Unix programs, but
> security experts only now have begun to find and fix them.
> (...)
> Levy estimates that computer security experts have announced six or seven
> format string vulnerabilities in recent weeks, and Arce predicts many more
> are on the way. And already, security specialists have published on
> Bugtraq
> sample programs that can exploit the weakness.
> The locale vulnerability uses internationalization software that allows
> Unix
> and Linux systems to be used in multiple languages. It's significant
> because
> countless basic Unix programs rely on the locale system to print messages
> such as "password incorrect" in the proper language.
> (...)
> Arce initially found the locale vulnerability on a Sun Microsystems
> server,
> but it affects all Linux and Unix operating systems except OpenBSD and
> FreeBSD, he said.
> (...)
> Format string vulnerabilities are similar to another broad class of
> problems
> called "buffer overflow," which have been around for decades and hinge on
> an
> attacker inserting too many characters into an input field such as a
> password prompt. In a buffer overflow, an attacker also can get a computer
> to run arbitrary instructions that let the attacker take over the
> computer.
>
> more info at:
> http://news.cnet.com/news/0-1003-200-2719802.html?tag=st.ne.1002.tgif.ni
>
> ---
> Vincent Jamart, Sgt.
> AIX System Administrator
> 22 Log. Wing -XSU
> BELGIAN AIR FORCE
> tf: +32-2/701.23.02
> fax: +32-2/701.59.32
> mail: JamartV@baf.mil.be
> ------------------------------------
> Le progrès vient des gens déraisonnables (Georges Bernard Shaw)
>
>
--------
Visit the Linux Supertore Online: http://www.redcorp.com !
If you want to be deleted from the list, send a mail to
majordomo@rtfm.be with "unsubscribe linux-team" in the body.
Archive of the list: http://tania.be.linux.org/