Older blog entries for mjcox (starting at number 139)

11 Sep 2005 (updated 12 Sep 2005 at 07:26 UTC) »
Mozilla and Firefox

On Friday we read about the Firefox security issue, CAN-2005-2871. This issue looked like it could well be a 'critical' issue potentially allowing a malicious web page to control a heap buffer overflow. We know that various technologies in Red Hat Enterprise Linux and Fedora Core are likely to reduce the chances of this being actually exploitable by an attacker -- checks foil the most usual way of exploiting heap overflows by messing with malloc control structures, and on x86 at least heap randomization makes an exploit harder. But this issue was already public and so we didn't have the luxury of time to be able to test the mitigation. So we initiated our emergency response process to get the packages through development and QA and got Firefox and Mozilla packages out via Red Hat Network within 20 hours of this issue being public (due to the awesome work from engineering folks, QA folks, and the security response team who worked late into Friday night to get this done).

ATA Security

Most laptops have the ability to set a hard drive password that gets asked for on boot -- take the hard drive out of the laptop and put it into another machine and you'll find you still need the password, the drive is locked by its firmware. This feature doesn't provide amazingly high security, it's known that some data recovery firms can bypass the password on some drives, some of the time, but it's probably good enough to thwart a thief who is after your machine and not your data. Anyway, most 3.5" drives found in desktop machines also have this feature, but it's mostly unsupported by motherboards (at least the sample of machines I could find). However Arne Fitzenreiter has come up with a novel solution, writing code for a BIOS that can unlock or lock desktop drives at boot. Incredibly useful also if your laptop has died, you had a password set, and you want to use the laptop drive in a desktop for a bit... guess who this applied to ;-)

In theory you should be able to program an EPROM or EEPROM, and just pop it into any old network card you have laying around that has a boot PROM socket. There is even a utility for the 3c905b/c that lets you program a EEPROM from Linux, and you can pick up a 3c905b card on ebay for under $5 including postage, so cheaper than a dedicated programmer. However the 3c905b isn't a great card to try to use the EEPROM in after it's programmed: a flaw in that card stops all the ROM contents being mapped properly.

Armed with a 3c905b for programming, an Atmel AT29C010A from Farnell Electronics, and a old 3c900 I'm glad I didn't throw away for the destination, a spare Windows PC, a couple of spare hours got it all working. Here are the final steps to make it all work for me:

  • Boot Linux with the 3c900 card to find it's vendor and product id (for my card it was 0x10b7, 0x9004)
  • Use the ATASX program in DOS to create an image for that product id
  • The ROM image produces won't work as it is on a 3c900, you need to fill it out to 65536 bytes just appending 0xff characters (a line of perl will sort this out)
  • Using the AT29C010A in the 3c905b card, use the bromutil utility (in contrib directory of etherboot) to erase the eeprom and burn the image
  • With the ROM and 3c900 boot to MSDOS and use the 3c90xcfg.exe program to make sure that the ROM is enabled
  • Reboot. Watch nothing happen (you got the vendor/product id wrong or the ROM isn't enabled) or a checksum error (the ROM image was bad, try again or use the disrom.pl script to look at the image file) or you see the ATASX program come to life.

I keep a scrapbook folder of things I want to buy, kind of a collections of "objects of desire". Actually the folder just serves as long term storage for things that I think I want, but actually don't need. By cutting out pages of magazines and articles and putting them in the folder I can forget about them without having to actually ignore them. It's the same pricipal as my Tivo; where Tivo happily watches lots of TV for me, TV that I never get around to watching, but feel happier that I'm not ignoring it. This all sounds very much like some monk from a Douglas Adams book, I must read that one again. Anyway Tivo currently is pretty full with around 20 episodes of "Queer Eye for the Straight Guy" which I kind of lost interest in after finding that the UK version wouldn't come up to Scotland.

Anyway, on Friday night I went through the folder and found that I'd actually bought some of the things in the folder without realising it -- an inflatable Dalek and a new TV. I also found some cuttings of DVD's that sounded interesting. I never normally get around to watching DVD's, but we went out and I bought and watched "I heart Huckabees" and "Adaptation", both movies that seemed worth wasting a few hours watching, and both were. Also today did a bit of geocaching to get back into it after a short break getting to 100 caches. (what could top the Moose geocache at Linuxtag in Germany?)

So in all it's been a productive weekend, although I wasted an hour or two drawing and then scrapping a thermometer widget in Perl/Tk for tablets that control my home automation system. I'm no graphic designer :(


The hot weather followed me back to Scotland, which is nice for me but not so nice for my 3m^3 computer cupboard which, being unventilated, gets quite warm and toasty. Today with the outside temperature at 20C and the inside temperature at 24C the cupboard was at 30C with the door closed, or 26C with the door open. So I cut a holes in the plasterboard in the wall near the top, a 120mm fan (with useless but cute blue LEDs, but nice and quiet with a fairly good flow rate), a nice looking outlet vent to hide the messy holes, and enough space for air to get in at floor level under the door. With the fan on and the door closed the temperature started rising, although slower than normal, to 29C. Turn the fan off, 30C.... so it's pretty consistant, but not particularly worth the effort. I need to figure out if my fan isn't moving enough air, or if it's just bad placement. -- I don't think I can get away with making any more large holes in the wall though, well not until Tracy goes out of the house for a few hours ;)

Hot isn't enough of a descriptive word for Karslruhe this week; 34C with no aircon on the show floor or hotel. I'd planned on taking a few hours out to go geocaching but so far don't fancy waking the mile round trip. Instead I managed a couple of webcam caches yesterday and I'm waiting for the weather to break. Did a couple of talks today (for partners) but the big FudCon talk is tommorrow morning, which should be more fun. Got to play with a Nokia 770 (shame it doesn't have a nice desktop stand charger), and find out some more about Xen. Time to go find some more nice Eis.


Off to Germany tommorrow for LinuxTag, FudCON2 and a few presentations. Unfortunately I get the first talk on Friday morning, just after the social event on Thursday night. Or it could be fortunately - this means that I could possibly get away with lower quality slides if the event goes well and everyone drinks lots. As some light relief today I found some gummi worms to photograph for my "Linux Worms" slide and some cute playmobil penguins. I'm looking forward to some real Haribo made in Germany, rather than the inferior "made in UK" versions I bought in Macro. I'm also looking forward to visiting Deutsche Bundesbank to exchange all my DM cash into Euros!

New PC tablets

I saw a couple of Fujitsu Point 1600 tablets going on ebay for US$150 for the pair and couldn't resist. My house already has a number of Fujitsu Point 510 tablets around with a simple Perl/TK interface to control heating, lighting, security, house cams, incoming phone calls and so on. But the old 510's were starting to show off their less than impressive specs 56Mb 75MHz 256 colour. The 1600 is a bit better at 160Mb and 166MHz with enough graphics ram to go to 24 bit colour at 800x600. Fortunately the 1600 is pretty similar to the 510 externally so the wall mount is the same, and in fact they use the same LCD and touchscreen so I can use the 510's as backlight spares (isn't it wacky when you can get a new 510 for about half the price of a replacement backlight for the LCD). Of course now I have faster tablets it means I'm likely to write more GUI to slow them back down again.

New Fedora Stats

I've been generating some more useful Fedora stats over the last few days, but I'm going to save them until FudCon next week so I've something new to talk about. I've also been adding some bookmarks to my phone so I can grab a few webcam geocaches in Karlsuhe and Frankfurt. Meanwhile the rest of the security team has been busy pushing out a lot of older 'moderate' and 'low' rated serverities whilst there isn't many 'important' rated issues in the queue.

A new Role Comparison Report from Security Innovation finds only three critical vulnerabilities affecting Red Hat Enterprise Linux, with zero average days of risk.

Back in March I wrote about a Role Comparison Report comparing vulnerability response times in Microsoft and Red Hat Enterprise Linux from Security Innovation -- published without involving Red Hat. Since that report they contacted me and supplied their dataset in which we were able to correct some mistakes. This week Security Innovation released another report from the data, this time looking at the role of a Database Server.

Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, the headline metrics treats all vulnerabilities as equal, regardless of their risk to users.

Their headline figure is 61 days of risk for a Red Hat Enterprise Linux 3 minimal installation with the addition of MySQL server from Red Hat Enterprise Linux Extras.

That sounds like an awful lot of days of risk - but if you filter their dataset by severity, using the Microsoft scale for determining the severity of each issue, you find the following:

*** Critical issues: 3 total issues. All fixed on the same day as first public disclosure, therefore having 0 days average risk.

*** Critical plus Important: 49 total, with 34 average days of risk

Red Hat prioritise all vulnerabilities and fix first those that matter the most. I frequently publish our raw data and metrics at http://people.redhat.com/mjc/

Days of risk statistics only tell a small part of the story: studies show consumers take some time to apply patches even after a vendor has produced a security update. So last year we added Exec-Shield to Red Hat Enterprise Linux 3 which also included support for processor EDB (execute disable bit) and NX (no execute) technology. Earlier this year Red Hat Enterprise Linux 4 shipped with Security Enhanced Linux turned on by default. These technology innovations are designed to reduce the risk of security issues.

Fedora Security

Just finished the security audit for FC4 candidate - For 20030101-20050605 there are a potential 861 CVE named vulnerabilities that could have affected FC4 packages. 759 (88%) of those are fixed because FC4 includes an upstream version that includes a fix, 8 (1%) are still outstanding, and 94 (11%) are fixed with a backported patch. I'll post all the details to fedora-devel-list later in the week. I'm also giving a keynote about Fedora and security response at FudCon later this month.

OpenSSL Security

A CSO remarked to me a couple of weeks ago that their perception was that OpenSSL had a lot of serious security issues over the years. In fact it's really only had a couple of serious issues, and in total only 15 issues in the last 4 years. So in the style of the Apache vulnerability database I did one for OpenSSL. This is now publically available and we'll keep it up to date. The page is built from a XML database of the issues.


Completed our 100th cache last weekend after a day out to grab some caches just north of Edinburgh. Took us a year to get to 100, but rather than try to do as many caches as possible we're trying to do a selection of interesting ones in interesting places. Since most caches in Scotland seem to involve 2 mile hikes we don't tend to do many each weekend. A cache last weekend took us within a few hundred yards of a certain blue and yellow swedish furniture store, which proved amazingly expensive with more bookcases, a new bed, shelving, and a packet of mini-daim bars needed to make the construction process less stressful.

Apache vulnerability database

We've not really given Apache Week any priority in the last few months -- in fact we've not posted a new issue since October 2004. So I'm glad we didn't rename it Apache Month. Time to register apachewhenthereissomethinginteresting.com.

Anyway, the most useful thing that I've kept up to date in Apache Week is the database of vulnerabilities that affects the Apache Web server v1.3 and v2.0. This list was even being linked to directly by httpd.apache.org so I made good on a promise I made a year ago and moved the database to the official site. Apache Week uses xslt for transforming the database, but the Apache site used velocity for page markup, but no one seemed to mind me adding ant-trax.jar to the site so the database gets converted from xslt to the page format that gets marked up by velocity. The end result is a couple of nice HTML pages on the official Apache site that list all the vulnerabilities that is easy for us to keep up to date.

Today a "Role Comparison Report" from Security Innovation was published which has a headline that Red Hat fix security issues less than half as fast as Microsoft.

Red Hat was not given an opportunity to examine the "Role Comparison Report" or it's data in advance of publication and I believe there to be inaccuracies in the published "days of risk" metrics. These metrics are significantly different from our own findings based on data sets made publically available by our Security Response Team. I work with these stats on a daily basis and frequently publish reports based on them. I've put some sample reports, including ones for the distribution and timeline examined in the report on my Red Hat page along with the perl script we use to do the analysis so you can judge for yourself.

Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, the headline metrics treats all vulnerabilities as equal, regardless of their risk to users. The Red Hat Security Response Team publish complete data sets allowing calculations to be made taking into account the severity of each flaw. Red Hat prioritise all vulnerabilities and fix first those that matter the most.

For example out of the dataset examined by the report there were only 8 flaws in Red Hat Enterprise Linux 3 that would be classed as "critical" by either the Microsoft or Red Hat severity scales. Of those, three quarters were fixed within a day, and the average was 8 days. A critical vulnerability is one that could be exploited to allow remote compromise of a machine without interaction, for example by a worm.

But let's put these metrics into context - with the current threat landscape it is no longer sufficient for operating system vendors to just respond to security issues. We've had a firewall enabled by default in our products since 1999. We've digitally signed all software updates from Red Hat since 1996. As part of our overall security strategy Red Hat is continually innovating to create new technologies that proactively help reduce the risk of unpatched or as yet undiscovered vulnerabilities. That's why you see things like Exec-Shield ,which proved it's ability in Fedora Core to reduce the risk of some exploits, accelerated into the Enterprise product, and why you see us work on integrating technologies such as SELinux configured and enabled by default.

130 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!