Linux targeted by fake security e-mail

Linux suppliers have been hit by two fresh security bugs, affecting a widely used graphics decoder and the Gaim instant-messaging...

Linux suppliers have been hit by two fresh security bugs, affecting a widely used graphics decoder and the Gaim instant-messaging client.

Red Hat, the biggest Linux developer, said attackers have begun targeting Red Hat users with an e-mail-based scam similar to methods commonly used to target Windows.

The flaws in Gaim and libtiff, used by many Linux graphics programs to decode tiff images, follow a series of serious bugs patched last week. The earlier flaws affected Linux's libpng, Xpdf and Cups components.

Researcher Chris Evans uncovered a series of boundary errors affecting the RLE-decoding components of libtiff, which could be exploited to cause heap-based buffer overflows.

A malicious user could exploit these flaws by tricking a user into viewing a maliciously crafted tiff image with an application that uses libtiff, researchers said; such an image could crash the application and execute malicious code on the user's computer.

Evans said the specific flaws he publicised are likely to be only the tip of the iceberg.

"Unfortunately, due to the size of libtiff, only a limited scan for flaws was possible. These flaws are likely to typify others present," he said.

A second flaw in libtiff, a division-by-zero bug discovered by Matthias Claasen, could crash libtiff-linked applications.

Finally, auditing by Dmitry Levin uncovered integer overflows which could also be used to execute arbitrary code on a user's PC, according to an advisory from Danish security firm Secunia.

Novell's SuSE Linux and Red Hat issued advisories on the libtiff flaw late last week, along with patches for the component.

The bug in Gaim, also publicised last week, can be exploited by sending a specially crafted message using the MSN SLP protocol. A boundary error within the handling of such messages can be exploited to cause a buffer overflow, crash the application and execute arbitrary code, Secunia said.

MandrakeSoft said bugs affecting version 0.75 of Gaim, which ships with Mandrake Linux 10.0, included the way the application handles smiley themes and very long URLs. Both bugs could allow malicious code execution.

MandrakeSoft, Gentoo, Red Hat, Slackware and others are issuing patches for Gaim.

The Gaim client is widely used on Linux systems to simulate third-party instant messaging clients such as those from Yahoo, America Online and Microsoft.

Red Hat said that users have been targeted by an authentic-looking security notification message which attempts to trick users into downloading and executing malicious code.

"These e-mails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code," Red Hat said.

The company urged users to ensure that any security updates appearing to come from Red Hat are safe by validating the messages' digital signature.

The message was made more authentic-looking by the use of a seemingly official website, - which was unavailable. Before the site disappeared, it contained a message urging users to apply a "critical-critical" update.

"Red Hat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges," the site said.

"The Red Hat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update."

Windows users are frequently bombarded by authentic-seeming malicious messages appearing to come from Microsoft, but the technique is a novelty for Linux. Until recently, Linux was rarely used as a desktop platform, but has now gained some ground and, by some counts, is more widely used on the desktop than the Mac OS.

Matthew Broersma writes for

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.