December 2006 Catch-up

Well, between the Holidays and 2 weeks of being sick, I didn’t stay very current during December.  So, to get back on track, I thought I’d create this summary, backdate it to December 31 (today is January 2nd, 2007), just so I can share my comments on some of the interesting security happenings during the month.

December 4th: OSDL Restructures at The Expense of Employees

OSDL is where Linus Torvalds works and the org that controls new Linux kernels.  Apparently, they’ve decided to declare success now that “Linux has received unprecedented market validation and continues to see unprecedented growth.”   “Unprecedented” must mean something different in this context than my normal understanding of the word.

December 5th: War for Linux is Almost Lost and

December 6th: War for Linux Doesn’t Even Exist; Is Not Lost Regardless

These two articles are entertaining, if nothing else.  I don’t really agree with either veiwpoint and am thinking about doing my own follow up to these, looking at Linux predictions from 3-5 years ago and comparing it with how those predictions have panned out.  Or, maybe not, I’m not sure how interesting this is to security folks.

December 9th: Retired from security@php.net

Stefan Esser bows out from the PHP Security Response Team – a real loss to this open source web scripting language, as PHP has had a lot of security issues over the past couple of years.  In Stefan’s words:

For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories. It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP.

December 12th: Microsoft issues 7 Security Bulletins addressing 11 vulnerabilities.

Microsoft fnishes out the last patch Tuesday of the year, fixing several vulnerabilities.    Only one patch was critical on WS2003.  As usual, this got a lot of coverage inthe press.

December 12th: UCLA alerts 800,000 to data breach

UCLA notifies a lot of faculty and alumni of a potential data breach that exploited a vulnerability:

“In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications,” Jim Davis, UCLA’s chief information officer and associate vice chancellor for information technology, said in a statement announcing the breach.

December 13th:  Red Hat Sales Exec Comments on Security

Red Hat’s right-hand man to Red Hat Chief Executive Matthew Szulik, Alex Pinchev apparently “has access to a lot of the strategic insights afforded to his boss, but is unencumbered by the diplomatic restraints placed on the chief executive.”  Sharing that insight, Pinchev responds to a security-related Q&A:

The argument is ongoing about whether the Microsoft platform is more secure than Linux. Is it still a sensible debate?
Pinchev: It’s not. There were 18 security breaches in 2005 to Red Hat Enterprise Linux. Ninety percent were fixed within one hour. You will not see that at Microsoft.

This must be some of that new “sales guy math”.  I will post a separate detailed post on this one, due to its excellent potential for sardonic comment.

December 4-20th: Ubuntu Security Notices

Ubuntu issues 9 Security Notices during December, addressing 11 vulnerabilities in Ubuntu LTS.   Ubuntu does not provide severity ratings to customers, but four of the vulnerabilities were High Severity according to http://nvd.nist.gov.  As usual, this got almost no coverage by the press.

December 6-19th: Red Hat Enterprise Linux WS (v. 4) Security Advisories

Red Hat issues 6 Security Notices during December, addressing 11 vulnerabilities.  Three patches addressed critical issues, though all three were primarily fixing the same vulnerabilities on the three different Mozilla products (Firefox, Seamonkey & Thunderbird).  As usual, this got almost no coverage by the press.

December 20th: Microsoft shares draft of Vista security hooks

In the post-ship days of old Patchguard disputes, Microsoft released a draft of expanded kernel APIs that they had been developing interactively with security partners. 

McAfee is pleased with Microsoft’s APIs, said George Heron, chief scientist at the Santa Clara, Calif., company, in an e-mailed statement. “Our preliminary review of the API specification document shows that Microsoft included some of the recommendations we had submitted, and it appears they did a good job on those,” he said.

December 22nd: Microsoft acknowledges Windows Vista vulnerability

“Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings,” Reavy wrote on the center’s blog early Friday.

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »