DISCLAIMER: Logging other people's keystrokes or breaking
into other people's computer without their permission can
be considered illegal by the courts of many countries.
The monitoring software reviewed here is ONLY for authorized
system administrators and/or owners of computers.
We assume no liability and are not responsible for any misuse
or damage caused by the keylogging software. The end user of
this software is obliged to obey all applicable local, state,
federal and other laws in his country of residence.
December 21st, 2007
Open source open to attack
As open-source coding begins to appear with increasing regularity in commercial software products, government users need to be aware of the potential security vulnerabilities in open-source code, industry experts say.
New commercial software products can contain, on a line-by-line basis, as much as 30 percent to 50 percent code that originated via open-source programs, said Mark Tolliver, chief executive officer at Palamida, a company that specializes in analyzing commercial software for elements of open-source code and any potential vulnerabilities.
The proliferation of open-source code has a variety of benefits for software buyers because it can lower the cost of writing new programs, speed the completion of new software projects and let programmers incorporate the best features of other programs, Tolliver said at a conference this week on the impact of open-source programs on the Defense Department, sponsored by the Association for Enterprise Integration.
The benefits, however, can be accompanied by potential security vulnerabilities and other issues, Tolliver said. Palamida, for example, this week released a list of the top five overlooked open-source security vulnerabilities that it encountered in 2007, as well as available fixes. The top five open-source products and their vulnerabilities included:
- APACHE GERONIMO, which in its 2.0 version does not throw FailedLoginException for failed logins, which potentially can allow remote attackers to bypass authentication requirements, deploy arbitrary modules and gain administrative access.
- JBOSS APPLICATION SERVER, which in versions 3.2.4 through 4.0.5 includes a Directory traversal vulnerability in the DeploymentFileRepository class, potentially allowing remote authenticated users to read or modify arbitrary files and possibly execute arbitrary code.
- LIBTIFF (Library for reading and writing Tagged Image File Format), which in versions before 3.8.2 allows context-dependent attackers to pass numeric range checks and possibly execute code and trigger assert errors.
- NET-SNMP , which in several versions when running in the master-agent mode can allow remote attackers to cause a denial-of-service crash by causing a TCP disconnect.
- ZLIB, which in Version 1.2 and later versions allows remote attackers to cause a denial-of-service crash via a crafted compressed stream with an incomplete code description of a length greater than one, which leads to a buffer overflow.
The identified vulnerabilities shouldn’t discourage users from using any of the products, Palamida said, although they should make sure they’re using the latest and most stable version of all software and implement the patches that are available to correct all five of the top vulnerabilities.
Source: GCN
All news for December, 2008
All news for 2008 year
All news for 2007 year
All news for 2006 year
All news for 2005 year
All news for 2004 year
DONATION: Keylogger.org is an independent research
project supported by a team of enthusiasts. If you find this
project useful or would like to help foster its continued
development please consider making a donation using PayPal`s
online secure payment service. A PayPal account is not required.
All major credit cards are accepted (MasterCard/Eurocard,
Visa/Delta/Electron, American Express, Switch/Maestro, Solo).
Simply click the button below.
Any amount would be useful and appreciated!
Thanks in advance for your support!
|
