Zimbra, the open-source e-mail software that Yahoo acquired for $350 million last year, is officially coming to Ubuntu Linux.
Coinciding with this week's LinuxWorld conference in San Francisco, Zimbra has announced a partnership with Ubuntu parent company Canonical.
Ubuntu users have been able to access Zimbra for the past year. But now, the e-mail software will be in the Ubuntu Partner Repository, providing easy access to both offline and online Yahoo Mail, Gmail, AOL Mail, and any IMAP or POP e-mail accounts. Zimbra also offers document and spreadsheet functions, as well as mashup features with services like Flickr, Amazon.com, and Yahoo Maps.
Offline e-mail and documents are one area where Yahoo has beaten Google to the punch--but there have been strong hints that engineers at the latter may be rolling out something similar soon through Gears.
"Since we first announced general availability of Zimbra for Ubuntu last year, we have seen incredible adoption within the Ubuntu community," Andy Pflaum, senior director of business management for Yahoo's Zimbra division, said in a statement. "We are eager to offer our world-class collaboration experience, Yahoo Zimbra Desktop, to the vibrant community of Ubuntu users worldwide."
At LinuxWorld today, SPI Dynamic's senior security engineer, Matt Fisher, talked about the vulnerabilities of Web 2.0. His talk, although not much different from that of his colleagues Billy Hoffman and Brian Sullivan last week at Black Hat, offered some new examples of what criminals are doing online, armed with little more than a desktop browser. Cross-site scripting attacks are the No. 1 threat, according to the Mitre organization, in part because they are so easy to do.
In particular, Fisher singled out social-networking sites. Because the site depends on user content, the site allows users to upload HTML code, and in most cases, any HTML code. Knowing this, Fisher said someone could put a malicious script code into a blog post where it would sit until someone came along and read it. What bad could possibly happen from that, you might wonder? Fisher said that when someone in a corporate environment opens it, the attacker can then execute code inside the corporate perimeter on the internal network.
If that attack is too passive, Fisher suggested another scenario. In this scenario an attacker embeds malicious JavaScript into a customer help ticket. The help ticket is archived inside the corporate network. Every time a customer-support technician opens the help ticket, the code infects his or her desktop, and potentially, the corporate network.
Unlike operating system vulnerabilities, which can be addressed with a patch, cross-site scripting attacks aren't generic; they're specific to the Web application. The key to mitigating these attacks is to limit what end users can and cannot do on the site. That sounds simple, but newer Web 2.0 sites often don't check for common, even old-school methods of attack.
- prev
- 1
- next
