Jul 25

Intel updates its open source Linux drivers

Intel’s developers have released version 12.07 of the open source Intel graphics package for Linux systems. The package includes the new X Server drivers for Intel cards as well as several other components that have been tested with these drivers.

The most important new feature of the release is version 2.20.0 of the xf86-video-intel driver for the X Server. This includes a new 2D acceleration method, called SNA, that can be selected at runtime by specifying Option "AccelMethod" "sna" in the Xorg.conf file. The SNA architecture is designed to make better use of new features in modern Intel graphics cards and aims to be faster and consume less CPU than the older UXA method. Alternatively, users can also activate the Glamor method which accelerates 2D graphics by using OpenGL. Both of these methods are currently considered experimental. The established UXA architecture and other portions of the driver have also received several bug fixes. Alongside version 2.20.0, the developers have also separately released version 2.10.1 of the X Server driver to fix problems they found while preparing the rest of the driver package.

Intel’s graphics driver package is aimed at developers looking for a pre-tested bundle of components rather than Linux end users. Aside from the actual drivers, the collection also includes other software components that have been tested in conjunction with them. This encompasses the stable 3.4.x version of the Linux kernel which was released in May and which uses the RC6 power saving mode by default. It also supports the GT2 server chipset based on the Ivy Bridge architecture. The included 3D driver is version 8.0.4 of Mesa 3D which fixes several problems of older 8.0.x releases but includes almost no new features.

The source code for Intel’s driver package is licensed under a combination of the MIT and GPLv2 licences and can be downloaded from the company’s Linux driver web site.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/07/intel-updates-its-open-source-linux-drivers/

Jul 25

Safari 6 addresses numerous security vulnerabilities


Users running OS X 10.7.4 Lion can upgrade using the built-in Software Update tool Zoom
Alongside the release of OS X 10.8 Mountain Lion earlier today, Apple has published version 6.0 of its Safari web browser for OS X 10.7 Lion, adding a number of new features and closing numerous security holes. According to the company, the major update addresses more than 120 vulnerabilities found in the previous 5.x branch. Among the holes closed are problems in the handling of feed:// URLs could have led to cross-site scripting (XSS) attacks or users’ files being sent to a remote server. A bug in the autocomplete system used by Safari, which may have resulted in passwords being automatically inserted even when a site specifies that it shouldn’t be, has been fixed, as has an XSS issue caused by opening maliciously crafted files on certain pages.

As usual, the majority of the problems fixed in the update were found in the WebKit browser engine used by Safari. These include cross-site information disclosure bugs, site URL spoofing problems, cross-origin issues, problems related to iFrames and over 100 memory corruption bugs that could be exploited by an attacker, for example, to cause unexpected application termination or arbitrary code execution. For an attack to be successful, a victim must first visit a specially crafted web site. Other WebKit-related bugs include the disclosure of memory contents, escapes from the browser’s sandbox, history session handling problems, and an HTTP header injection issue.

Non-security related changes include the addition of a single “Smart Search Field” used for both searching and inputting site addresses, a new Password pane for managing saved site logins, and an Offline Reading List, which allows users to save web pages to a Reading List for when an internet connection isn’t available. Support for the “Do Not Track” (DNT) header has also been added; DNT is a developing standard for telling web sites that the browser user wishes to opt-out of online behavioural tracking.

A full list of security fixes can be found in Apple’s security advisory. Users running Mac OS X 10.7.4 can upgrade to Safari 6 using the built-in Software update function. All users are advised to upgrade as soon as possible.

Safari 6 is included by default with Apple’s OS X 10.8 Mountain Lion operating system, which arrived earlier today as a paid update from the Mac App Store. At the time of writing, the Apple security updates and Support Downloads pages do not yet list Safari 6. Additionally, it’s worth noting that a Windows version of Safari 6 is not available and that all references to Safari for Windows have been removed from Apple’s main Safari page. As it uses the same engine, the current 5.1.7 release of Safari for Windows is vulnerable to many of the same security problems.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/07/safari-6-addresses-numerous-security-vulnerabilities/

Jul 25

Xamarin raises $12M for cross-platform mobile apps

Xamarin has raised $12 million in its first outside investment into its C# based mobile apps platform for iOS and Android. The company was founded by Miguel de Icaza and Nat Friedman in the wake of the acquisition of Novell by Attachmate and the subsequent reorganisation. Xamarin then took over support for SUSE Mono customers and the MonoTouch and Mono for Android products. Xamarin now focuses on the latter products, providing C# runtimes for iOS and Android, and offers tools such as Xamarin Designer for Android to produce mobile applications faster.

The funding has been provided by Charles River Ventures, Ignition Partners and Floodgate, and the company plans to use this to fund the expansion of its range of developer tools and to build a sales and marketing team. “This funding will enable us to scale our success and better deliver on our mission, bringing millions more developers to mobile”, said Friedman as CEO of Xamarin.

The company builds its products around the open source implementation of C# and the .NET runtime, Mono, which it also supports and helps maintain. Xamarin now claims around 150,000 developers and 7,500 paying customers for its products, including rdio and National Instruments. Although both the iOS and Android versions use C# as their underlying language and generate native executable code for each platform, the runtimes expose the native platform’s APIs rather than a generic API to allow developers to exploit the full capabilities of the devices it runs on. Pricing for the company’s products run from $400 for a “professional user” to $2,500 for an “enterprise developer” with priority support.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/07/xamarin-raises-12m-for-cross-platform-mobile-apps/

Jul 24

Fedora 18 to support UEFI Secure Boot

With two votes against, Fedora‘s nine person Engineering Steering Committee has approved a proposal outlining how Fedora 18 (scheduled for release in November) will support UEFI Secure Boot.

The plan, put forward by Red Hat employees Matthew Garrett and Peter Jones, provides for implementation in accordance with a suggestion from Garrett that was aired for discussion several weeks ago. The minimal shim bootloader will be signed using Microsoft’s signing service; this will allow Fedora to be booted on systems without having to deactivate Secure Boot. The shim loader will then load the system’s actual boat loader. Because they are designed to work with Windows 8, most UEFI PCs will include the appropriate public key for verifying this signature. Alternatively, users can sign the shim loader with their own keys and save the public key to the UEFI firmware as a trusted key, making UEFI trust the signed main boot loader.

If the shim software is loaded on a system on which Secure Boot is activated, it will use a key generated by Fedora to check that the GRUB 2 boot loader is unmodified and correctly signed before executing it. GRUB in turn checks the Linux kernel signature, which in turn checks the signatures of all kernel modules before loading them. By default, Fedora uses its own key pair to sign and check signatures. Users who save their own keys to the UEFI firmware will be able to use these to validate GRUB, the Linux kernel and kernel modules.

Where a system is booted in this way, some restrictions will be imposed on GRUB, similar to the case where a supervisor password is used in current BIOSes. The kernel will not allow some arguments to be passed during booting and will not allow DMA access to userland software. X Server graphics drivers will therefore only be able to use hardware acceleration if they utilise kernel drivers which support kernel-based mode setting (KMS). Proprietary graphics drivers from AMD and NVIDIA will therefore no longer work when booting with Secure Boot. But since Fedora does not include either of these drivers and they do not carry the Fedora signature, the kernel would not load the relevant kernel modules anyway.

At its IRC meeting held yesterday, Fedora’s Engineering Steering Committee approved 15 further proposals for implementing new features in Fedora 18. The distribution is to move to the second generation of Liberation fonts and to activate automatic hinting in the Freetype font library, which is used by many different applications. Zeroconf implementation Avahi, which uses mDNS/DNS-SD to detect network printers automatically, will be activated by default on desktop installations. The development team also wants to use the improved seccomp infrastructure in Linux kernel 3.5 (released on Sunday) to improve isolation of virtual machines.

The Fedora development team has so far approved more than fifty major new features for Fedora 18. The deadline for submitting new features expires today. Feature freeze is scheduled for 7 August, with the first alpha release due at the end of that month.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/07/fedora-18-to-support-uefi-secure-boot-2/

Jul 24

11 million passwords leaked from online gaming platform

A file with 11 million password hashes belonging to users of the online games platform Gamigo has been circulated on the internet. According to an analysis by ZDNet, 8.2 million different email addresses are also part of the 478MB file. Around 3 million of these belong to users from the US, 2.4 million are German addresses and 1.3 million are supposed to originate in France. The list also includes corporate email addresses from companies such as IBM, Siemens, Deutsche Bank and the German insurance company Allianz.

The file appeared in the same forum which had previously circulated millions of password hashes from Linkedin, Last.fm, eHarmony and other web sites. One user of the forum has claimed to have cracked 94 per cent of the MD-5 hashes in a trivial amount of time. The fact that it was possible to crack the hashes this quickly would suggest that they were not salted. A hacker who goes by the pseudonym 8in4ry_Munch3r is believed to be behind the attack.

Gamigo, which is a subsidiary of the German Axel Springer publishing group, has confirmed to The H’s associates at heise Security that the data contained in the file is authentic. The company has stated that it noticed a “security-related incident” in March 2012 in which an older version of a database was copied off its servers. Gamigo says it immediately contacted the affected members and reset the passwords to their accounts. The company also says it took the affected database offline and initiated “a comprehensive security audit”. Now that the data has been leaked, the company wants to look at the incident again.

Users who are registered with Gamigo and have used the same password at other web sites should immediately change their logins. Generally, using the same password with several online services is a bad idea as a break-in at one web site means that many of the user’s accounts are suddenly at risk.

Permanent link to this article: http://pccorzo.com/myblog/index.php/2012/07/11-million-passwords-leaked-from-online-gaming-platform/

Page 40 of 52« First...102030...37383940414243...50...Last »