Language Selection

English French German Italian Portuguese Spanish

Netscape laid wide open by security flaw

Filed under
Security

Two separate imaging-related security flaws have surfaced in AOL's Netscape browser and in the KDE desktop environment for Unix and Linux, according to security experts. Both could allow an attacker to plant malicious code on a user's system when a specially crafted image is viewed by an affected application, such as a browser, e-mail program or stand-alone viewer, researchers said.

Vulnerabilities in image-viewing components are among the easiest to exploit, particularly when they affect Internet-connected applications such as browsers and email programs, say experts. "If the libraries are used by other types of client applications, where the user has to download a malicious file and open it in a specific application, it complicates the attack a bit," said Thomas Kristensen, CTO of security firm Secunia.

The flaw in Netscape, affecting versions 6.x and 7.x, involves a boundary error in the way Netscape extension 2 blocks handle gif images, according to Internet Security Systems, which disclosed the flaw last month; the bug was patched in Mozilla-based products in March.

But the gif flaw also affects Netscape, and is unpatched, Secunia said in an advisory published on Tuesday. The vulnerability has been confirmed in version 7.2 and also reported in version 6.2.3 but is likely to affect other versions as well, Secunia said.

A separate vulnerability affects KDE's kdelibs, specifically an error in the kimgio component when processing PCX image files. Kimgio is used in KHTML-based Web browsers as well as KDE imaging applications such as kpresenter and ksnapshot, meaning that if an image crafted to exploit the flaw were viewed in any of these applications, they could allow an attacker to execute malicious code. The flaw affects KDE versions 3.2 to 3.4, Secunia said.

A patch is available from KDE and from various Linux distributors, including Suse, Gentoo and Debian.

Full Story.

More in Tux Machines

QNX 7 Can Be Fitted With A Qt5 Desktop

  • QNX 7 Can Be Fitted With A Qt5 Desktop
    While QNX remains targeted as an operating system for mobile/embedded solutions, a BlackBerry developer in his spare time has fitted QNX 7 with a Qt5 desktop. QNX 6 and prior had a desktop option, but was removed in QNX 7, which was released this past March. QNX 7.0 also brought support for 64-bit (and maintaining 32-bit) Intel x86 and ARM platforms along with C++14 support. For those wanting to experiment with QNX 7, a BlackBerry kernel developer has been working on making this operating system more desktop friendly.
  • Building a BlackBerry QNX 7 Desktop
    Having Qt allowed me to port one of my favourite applications, SpeedCrunch. It was a simple matter of running ‘qmake’ followed by ‘make’. Next, I ported the QTermWidget library so that I could have terminal windows.

Kernel Space/Linux

  • Kernel explained
  • [Older] [Video] Audio on Linux: The End of a Golden Age?
  • State of Sway April 2017
    Development on Sway continues. I thought we would have slowed down a lot more by now, but every release still comes with new features - Sway 0.12 added redshift support and binary space partitioning layouts. Sway 0.13.0 is coming soon and includes, among other things, nvidia proprietary driver support. We already have some interesting features slated for Sway 0.14.0, too! Today Sway has 21,446 lines of C (and 4,261 lines of header files) written by 81 authors across 2,263 commits. These were written through 653 pull requests and 529 issues. Sway packages are available today in the official repos of pretty much every distribution except for Debian derivatives, and a PPA is available for those guys.

Supporting Burning Platforms

  • Surface revenue does a U-boat, and dives

    Revenue generated by Microsoft's Surface hardware during the March quarter was down 26% from the same period the year before, the company said yesterday as it briefed Wall Street.

    For the quarter, Surface produced $831 million, some $285 million less than the March quarter of 2016, for the largest year-over-year dollar decline ever.

  • Acer said to me: "do not use our products with Linux. Find another manufacturer"
    Last year, I bought an Acer notebook and it came with Windows 10. As I didn't want spyware neither bloatware, I got Linux installed and asked for a refund of the OEM license. After a little of talking, they were wanting to charge me US$100 (to remove the license, which I already had wiped, as I got FDE Linux installed) to refund US$70 of the OEM license. This year, wondering to buy a new Acer notebook, I asked them again if they would refund me the OEM license without all the hassle (as they did pay me the US$70, without me having to pay the US$100).

today's howtos