WordPress 2.3.3 is an urgent security release. If you have registration enabled a flaw was found in the XML-RPC implementation such that a specially crafted request would allow a user to edit posts of other users on that blog. In addition to fixing this security flaw, 2.3.3 fixes a few minor bugs. If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php. Otherwise, you can get the entire release here.
Also, there is a vulnerability in the WP-Forum plugin that is being actively exploited right now. If you are using this plugin, please remove it until an update is available from its author.
(IN)SECURE Magazine is a free digital security magazine in PDF format. In this issue you can read about malware, advanced social engineering, Internet terrorism, visualization tools for security analysis, wireless security, insider threat, fraud mitigation, and much more. Download your FREE copy today!
Linux.conf.au kicked off its main proceedings in Melbourne on Wednesday morning with a stark message from security guru Bruce Schneier: "When security companies give you cost justifications, they're complete bull@#&&."
And so begins what is, as always, a great piece of commentary on the overall nature of security and the problems that are derived from the gap between perceived security and real security. Read on....
Crispin Cowan, the Linux security expert behind StackGard, the Immunix Linux distro and AppArmor, has joined the Windows security team.
Originally posted by a blogger over at Microsoft. It's interesting though - what is making Microsoft go for Linux security professionals? Is there something inherently more effective about security developers with an Open Source background? Something else?
A survey by Sentrigo indicates that most Oracle database administrators do not apply the Critical Patch Updates that Oracle issues on a quarterly basis. Oracle designed its CPU program to help customers protect databases and other products against recently discovered security vulnerabilities. However, security patching is largely neglected as 67.5 percent of the respondents said they had never applied any Oracle CPU and that leaves many databases open to exploits.
Source: www.ratliff.net/blog - Open Source Security - Posted by Ryan Berens
Emily Ratliff, a blogger and "architect for Linux Security, Quality, and Support for IBM’s Linux Technology Center," lists her most pressing stories in open source security this week. Below is the list, click-through to her blog and check out her insight...
The Fedora Weekly News Issue 114 (dated Dec. 31, 2007) describes three “SELinux Rants” along with the response from the Fedora community.
Interview with Bruce Schneier called Bruce Almighty: Schneier preaches security to Linux faithful (dated Dec. 27, 2007)
11 open-source projects certified as secure
Data center robbery leads to new thinking on security is an interesting look at the data center break-in that occurred last October.
Source: ZDnet Open Source Blog - Posted by Ryan Berens
The recent awareness on Coverity's test on Open Source projects has been making the rounds non-stop in the past days. The issue at hand here is the inherent value in what Coverity is actually providing - that is, identifying bugs in software to improve its quality.
Coverity's model is certainly one way of addressing the quality of code in an open source project. In fact, it can be a very useful model. They stated that 11 of the projects were cleared based on their "rung" system, among other observations.
But the issue is that many venues are mangling the information. First they are not stating closed source bugs/problems. Obviously, you can't compare two sides by only counting the faults on one side. To be more clear, awareness of the # of bugs in open source projects has absolutely no bearing on the absolute value of problems relative to other closed-source projects. They are exclusive of each other. Not to mention the fact that more awareness of bugs may account for bad press, but can allow for better overall security (knowledge is power).
The real problem here is that many of those covering the story are portraying it in the worst way imaginable; and in some cases, they are outright inaccurate.
Case in point, the following comment was found on the open source blog at ZDNET regarding the Firebird project - its an example of how sometimes percpetion can be misconstrued...
Catching 8 out of 10 bugs is not worse that catching 6 out of 10. And yet, this is the logic behind Microsoft's criticism of Mozilla's Firefox Web browser. To add insult to injury, we don't even know if it is, in fact, 10? Is it 20? Who knows? When there's no open dialog, you are at the whim of voluntary disclosure - disclosure that equals bad PR. But PR and true security are exclusive...
This much and more is said in an interview with Tristan Nitot, the president of Mozilla Europe. He gets into Linux, browsers, policies, security and more.
I'm surprised that bug counting, which is a terrible metric, was used by Microsoft. It isn't easy to assess security, but bug counting definitely isn't the way to do it. I'd rather talk about time to fix the duration of the window where users are at risk, which in our opinion is a much better metric.
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.18 (Version 3.0, Release 18). This release includes the brand new Health Center, new packages for FWKNP and PSAD, updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, as well as other new features.
In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database and e-mail security, integrated intrusion detection and SELinux policies and more.
According to a report performed by IDC Research:
organizations perceived open source technology as providing better security compared to proprietary products...
In reality, it seems that the advantages of open source security are taking hold, so much in fact, that they are the primary reason for adoption in Asia and the region. So maybe, when Microsoft and other firms can't artificially meddle with the system, look what happens - the people speak and the choice is clear.
Is the reason because proprietary versions are so insecure, that Linux is secure by comparison? Or is it that Linux, by nature, gets more attention from a driven community to create platforms that are inherently better engineered, for more security through development?
