security

Drupal 4.6.4 / 4.5.6 fixes three security issues

You might have already noticed, but I'll re-iterate nevertheless: the Drupal project has released Drupal 4.6.4 and 4.5.6 which fix three security vulnerabilities. Everyone running a Drupal site is advised to upgrade, as always.

Multiple people were mighty busy yesterday preparing, finalizing and testing the patches and advisories. I was one of them, although I was more like lurking around trying to look busy ;-) Anyways, I have sent the respective advisories (DRUPAL-SA-2005-007, DRUPAL-SA-2005-008, DRUPAL-SA-2005-009) to the "usual suspects" today: Bugtraq, Full Disclosure, and the php-sec mailing list. The advisories have already been picked up by Secunia and a bunch of other security sites...

Btw: I finally received news that my domain was transferred to my new web hoster today, which led to a short downtime. Everything should be fine now. If you notice any problems, please drop me a note.

Sony XCP Rootkit Saga Continues

I didn't follow this disaster too closely, but here's a short (most probably incomplete) roundup of what happened so far:

  1. The Sony DRM installs a rootkit,
  2. people use the rootkit to make game cheats safe from the (Blizzard) Warden,
  3. trojans start (ab)using the DRM rootkit,
  4. Sony gets sued,
  5. Sony pulls the rootkit.

Nice bedtime story so far. Now it turns out that Sony’s web-based XCP (rootkit) uninstaller seems to open huge, gaping security holes itself...

Not that I would care too much, I don't buy any Sony CDs. There's a huge pile of great Creative Commons licensed music out there (shameless plug: check my music podcast for some hand-selected goodies). No need to pay huge corporations for crappy music which comes with funny "extras"...

EFF cracks the DocuColor Tracking Dot code

If you haven't yet read about it, some printer brands place tiny, almost invisible yellow dots on every page you print. These dots encode certain information (date, time, printer serial number, or similar things). I think you can easily imagine the security and privacy implications. The EFF has now cracked the DocuColor Tracking Dot code.

They have also written a program which decodes the dot patterns. The code is released under the terms of the GPL.

(via Boing Boing and CCC)

Paranoid? I'm not paranoid! Which of my enemies told you this?

Scary, funny, and old, but this ACLU pizza ordering video makes you start to think. For example, it makes you start to make an educated guess at how much of this is already possible today. I'm not liking the results of my guess...

(via 37signals)

Nessus forked [Update]

The company behind the Nessus security scanner announced that future releases will no longer be licensed under the terms of the GPL.

Of course (Nessus being the #1 rated project at insecure.org) we didn't have to wait very long for a fork — the Porz-Wahn project was announced yesterday.

Update: More Nessus forks have been announced: GNessUs, Segusius, GPL'ed Nessus Checks, and probably a few more...

(via Heise)

Syndicate content