- Related Stories
-
Java stir puts Sun in a spot
December 7, 2004 -
Major browsers bitten by security bugs
October 20, 2004 -
Code to exploit Windows graphics flaw now public
September 22, 2004 -
Image flaw pierces PC security
August 5, 2004 -
Developers take Linux attacks to heart
December 9, 2003
The vulnerabilities occur in the Imlib software library, a set of common code for handling images, security information provider Secunia stated in an advisory Tuesday. The company rated the flaw threat as "highly critical."
Czech software developer Pavel Kankovsky discovered the flaws when he checked the Imlib library to see if it was affected by vulnerabilities found in a similar set of Linux code, Linux distributor Gentoo said in an advisory.
Both Gentoo and Novell's SuSE Linux released patches for the issue this week.
The image flaw is the latest graphics library vulnerability to affect a major operating system. Microsoft fixed a major flaw in how its operating system and applications handled the popular JPEG format. The flaw could be used to take control of a victim's PC by viewing a graphic. Another flaw in a popular code library for handling an open-source image format, known as Portable Network Graphics, put computers running Linux, Windows and Mac OS X at risk.
Another common element of Web pages, Sun Microsystems' Java, also had a major flaw that could affect Linux and Windows computer users. The company patched the issue in October.
Other versions of the Linux operating system are likely affected if they use an older version of the GNOME desktop. In addition, other applications on those systems could also be affected if that software uses the Imlib code.
See more CNET content tagged:
flaw, Gentoo, Linux, GNOME, vulnerability
a Linux kernel flaw. The OS kernel generally doesn't
process images, so, I was a little confused when I
first read the title. It is like saying an Adobe
image library vulnerability is a Windows problem.
Not quite accurate. One can always develop an
application or library to circumvent the system,
it isn't necessarily the OS's fault.
I am amazed that MS came out with a fix to this vulnerability before the Linux community did!
I guess even MS can work quickly to fix a problem if you light enough matches under their feet! :)
- Story incorrect, comments worse
- by December 9, 2004 10:29 AM PST
- Versions of GNOME in the 1.x series are affected by the imlib vulnerabilities discussed in this article, however, GNOME 1.x is not a "recent" version of GNOME by any stretch of the imagination. The 2.x series (which there have been four "minor" series of in the past two and a half years) does not use imlib, and the only distribution which continues to ship GNOME 1.x is debian woody (which will be replaced by sarge in a short while).
- Like this Reply to this comment
-
-
- Article is not wrong
- by David Arbogast December 9, 2004 12:21 PM PST
- The article does in fact state that this vulnerabilty exists in older Gnome packages. Its in the first paragraph, so there is nothing wrong with the assessment.
- Like this
-
- closed source world
- by Ubber geek June 6, 2007 7:41 AM PDT
- http://www.analogstereo.com/cassette_deck_nakamichi_bx_300.htm
- Like this
-
(18 Comments)To compare GNOME 1.x and 2.x is roughly equivalent code-wise to comparing Windows NT4 to Windows 2000, or Windows 95 to Windows 3.1. Most of the code has been changed and rewritten, and all of the image handling (which this bug is an instance of) has. If you want a rough parallel, this is similar to discovering a bug that only occurs in Windows NT4 and claiming it affects "recent" versions of Windows.
I should note, regarding the comments, that this particular security issue was discovered as a result of independent code auditing by a random user of the imlib library--something that is legally impossible in the closed source world, unless you feel like paying money and signing all types of NDAs, which would almost certainly preclude disclosure of this type of vulnerability -- which means that even if somebody paid the money to see the code and found a vulnerability like this, you probably wouldn't hear about it until after an update is ready or someone *else* tests things the hard way and discovers the same issue independently. Further, unless you are doing something dumb, like running as the "root" user (Administrator in Windows NT/2k+/XP), this bug will only affect *your* user, and not the entire system. Finally, this issue has never been exploited (to my knowledge) "in the wild", merely in some guy's apartment.
James Cape
http://esco.mine.nu/
Just like flaws in older versions of Windows give anti-MS folks a reason to flame the software company, flaws in older versions of Linux are likewise targets for criticism. Why? Because there is still an affected install base. The difference, is that each distributor of Linux is working to patch the problem, meaning that different distros have different security problems at any given time.
Sure... somebody found this flaw a few years after it was created, in their own home. Something that could not be done with code from a closed-source system. You are correct. Of course, it is only a matter of luck that the person was willing to report the flaw instead of exploiting it.