Zombies to beat e-mail authentication?

On the Windows side of things it has been a fairly quiet week this week, but Linux admins will be busy with updates for the kernel, both major Apache web server versions and sudo. There have been no virus stories of note this week, although the increasing spread of 'bots' seems to have finally made some of the 'user authentication will save us from spam' crowd realize the flaw in that position.

This issue's topics:

Introduction:

* Linux kernel, Apache httpd, sudo updates; bots beat anti-spam approach

Virus News:

* Zombies to beat e-mail authentication?

Security News:

* XP SP2 security feature workaround

* Several Linux kernel flaws fixed

* Apache HTTP Server 1.3.33 and 2.0.52 releases fix security flaws

* Sudo patch fixes local privilege elevation vulnerability

Introduction:

On the Windows side of things it has been a fairly quiet week this week, but Linux admins will be busy with updates for the kernel, both major Apache web server versions and sudo. There have been no virus stories of note this week, although the increasing spread of 'bots' seems to have finally made some of the 'user authentication will save us from spam' crowd realize the flaw in that position.

Virus News:

* Zombies to beat e-mail authentication?

Panellists at a session of a US Federal Trade Commission-sponsored anti-spam forum late last week pointed out a major flaw in the widely held belief that e-mail sender 'authentication' systems such as SPF, Microsoft's Caller-ID and the merged form of the two, Sender-ID would be useful in combating spam.

The problem with the superficially attractive claim that simple authentication schemes such as SPF is 'zombies'. Zombies are machines running various forms of malware designed to send spam and/or perform other acts of undesirable electronic mayhem at the whim of the 'owner' of a network of such machines.

According to a Symantec spokesperson at the event, in the first half of this year around 30,000 machines per day were taken over to join 'botnet armies' and the like. Clearly these are more than enough machines to overwhelm any likely benefits from schemes such as SPF if a significant fraction of such zombies were set to sending spam (and much evidence now suggests that at least half of all spam is sent by such zombies, although there is little evidence that the spammers using zombies have taken the next step of making their spam-bots 'SPF aware' so as to send their spam in a way that will bypass SPF-like 'authenticity tests).

E-Mail Authentication Will Not End Spam - washingtonpost.com [reg'n req'd]

Security News:

* XP SP2 security feature workaround

Call it a flaw, a bug or an unintended feature, but is seems that if the 'SharedAccess' service in Windows XP SP2 is disabled, the firewall is also disabled and access to raw sockets is enabled. This was reported earlier this week by Juergen Schmidt of Heise Security and should be kept in mind by security and performance tweakers, at least until Microsoft releases an update that addresses the issue.

Flaws in SP2 security features, part II - heise.de

* Several Linux kernel flaws fixed

Stefan Esser of e-matters has uncovered a series of buffer overflows, integer signedness and related issues in the smb file ssystem (smbfs) component of the Linux 2.4 and 2.6 kernels. Affected versions of Linux running the smb server are thus open to denial of service attacks from induced kernel crashes and possible information leaks through improper memory handling. The latest kernel updates resolve these, and several other security-related issues.

Linux 2.x smbfs multiple remote vulnerabilities - e-matters.de

* Apache HTTP Server 1.3.33 and 2.0.52 releases fix security flaws

Versions 1.3.33 and 2.0.52 of the Apache Software Foundation's Apache HTTP Server have been released to fix two and one security vulnerabilities respectively. Most popular Unix and Linux distributions that contain the Apache httpd have already shipped update packages addressing these issues, or are expected to do so soon.

Apache HTTP Server 1.3.33 Released - apache.org

Apache HTTP Server 2.0.52 Released - apache.org

* Sudo patch fixes local privilege elevation vulnerability

Versions of sudo prior to 1.6.8p2 contain a flaw in their environment variable sanitizing that allows a user permitted to run shell scripts the ability to execute arbitrary shell commands if the bash shell is used. bash is the default shell on most Linux systems.

Updated packages are being made available for the popular distributions, or the sudo 1.6.8p2 release (or later - 1.6.8p4 was released on 17 November) can be obtained and built from scratch.

Bash scripts run via Sudo can be subverted - sudo.ws

Join the newsletter!

Error: Please check your email address.

More about ApacheApache Software FoundationFederal Trade CommissionLinuxMicrosoftSymantecUS Federal Trade Commission

Show Comments
[]