Language Selection

English French German Italian Portuguese Spanish

Netscape laid wide open by security flaw

Filed under
Security

Two separate imaging-related security flaws have surfaced in AOL's Netscape browser and in the KDE desktop environment for Unix and Linux, according to security experts. Both could allow an attacker to plant malicious code on a user's system when a specially crafted image is viewed by an affected application, such as a browser, e-mail program or stand-alone viewer, researchers said.

Vulnerabilities in image-viewing components are among the easiest to exploit, particularly when they affect Internet-connected applications such as browsers and email programs, say experts. "If the libraries are used by other types of client applications, where the user has to download a malicious file and open it in a specific application, it complicates the attack a bit," said Thomas Kristensen, CTO of security firm Secunia.

The flaw in Netscape, affecting versions 6.x and 7.x, involves a boundary error in the way Netscape extension 2 blocks handle gif images, according to Internet Security Systems, which disclosed the flaw last month; the bug was patched in Mozilla-based products in March.

But the gif flaw also affects Netscape, and is unpatched, Secunia said in an advisory published on Tuesday. The vulnerability has been confirmed in version 7.2 and also reported in version 6.2.3 but is likely to affect other versions as well, Secunia said.

A separate vulnerability affects KDE's kdelibs, specifically an error in the kimgio component when processing PCX image files. Kimgio is used in KHTML-based Web browsers as well as KDE imaging applications such as kpresenter and ksnapshot, meaning that if an image crafted to exploit the flaw were viewed in any of these applications, they could allow an attacker to execute malicious code. The flaw affects KDE versions 3.2 to 3.4, Secunia said.

A patch is available from KDE and from various Linux distributors, including Suse, Gentoo and Debian.

Full Story.

More in Tux Machines

Reviewing 2014, Penguin Porn, and Dropping Distros

Today in Linux news are several reviews of the events of 2014. Elsewhere Linux.conf.au lost its hashtag to an adult entertainment awards and another Linux security flaw is making the news rounds. KDE 3-clone Trinity desktop saw a new release and Bruce Byfield asks why the number of Linux distributions are declining. Read more

Firefox OS Expands to Nearly 30 Countries

Firefox OS has brought choice to the mobile industry with 14 smartphones offered by 14 operators in 28 countries. Firefox OS unlocks mobile ecosystem participants from the barriers set by proprietary systems, allowing for independence, control and innovation. Read more

Red Hat Brings Business Intelligence and Data Analysis Suite to the Public Cloud

Red Hat (RHT) has broadened the deployment options for its integrated data analysis and business intelligence platform with the announcement that Red Hat Enterprise Linux for SAP HANA can now run across a variety of public cloud providers that Red Hat has certified, as well as on new hardware configurations. Read more

Qseven i.MX6 COM adds industrial temperature range

Aaeon’s first ARM-based COM — a Qseven-based “AQ7-IMX6″ module running Android or Linux on a Freescale i.MX6 — has added an industrial temperature option. Read more