The H Week – Nokia and MeeGo, Debian 6 and USB worms

In the past week, The H reported on the release of Debian 6.0, on the now uncertain future of MeeGo and on the development of IcedRobot which aims to free Android apps from the Dalvik virtual machine. Security expert Jon Larimer showed that Linux too can be attacked by USB worms, Google opened the Android Market on the internet, opening another possible attack vector for remote installation of malware. Fraunhofer researchers showed it was still possible to read passwords from an iPhone that had been locked with a passcode.

Featured

As a de-facto reference or base distribution, a new Debian release is always worth a look and this week Mirko Dölle did just that in his article on the newly released Debian 6.0 Squeeze. In the latest issue of the Kernel Log, Thorsten Leemhuis reported on developments in RAID support, graphics and audio drivers in the Linux kernel. Daniel Bachfeld examined online tools for checking for virus infection in files on the internet which avoid downloading the suspect file to your system.

• First look: Debian 6.0 Squeeze
• Kernel Log: updated Radeon drivers, mdadm and ALSA
• Useful tools for online virus checkers

Open Source

The battle for a share of the mobile market intensifies and we are starting to see casualties. This week, although the MeeGo roadmap was updated, it seems the longer-term survival of MeeGo is unsure, with some MeeGo related projects apparently being put on hold. Even Nokia has now announced it will move its phones to Windows Phone 7 and MeeGo is now earmarked for "longer-term exploration" on next generation devices.

• MeeGo roadmap updated
• MeeGo: stalling or stopping?
• "Longer-term market exploration" for MeeGo at Nokia

Coinciding with the release of Debian 6.0, Debian also announced it was time to change its signing key, which it does every three years. Canonical announced the release of a database of certified components for Ubuntu and Linux, and the Ubuntu developers said there would be no release candidate before the release of 11.04, aka Natty Narwhal, on April 28th.

• Debian 6 "Squeeze" is finished
• New signing key at Debian
• Canonical announces component catalogue for Ubuntu & Linux
• No release candidate for Ubuntu 11.04 Natty Narwhal

INSIDE Secure said it would shortly release its Open NFC stack for Android, claiming that its hardware abstraction layer makes it easier to re-configure for different NFC hardware compared to the native Android NFC stack. The IcedRobot project announced a replacement for Dalvik and Apache Harmony which will allow Android apps to run on OpenJDK and on desktops. Swiss software vendor Myriad announced the launch of Alien Dalvik, a version of the Android virtual machine for other platforms.

• INSIDE Secure to release Open NFC stack for Android
• IcedRobot to run Android apps on OpenJDK
• Alien Dalvik – Android apps playing away from home

Rackspace, co-founders of the OpenStack project with NASA, which is building an open operating system for cloud computing, has announced it will acquire Anso labs, the developers of NASA's own cloud platform. NoSQL specialists CouchOne and Membase are to merge and become Couchbase.

• Rackspace to acquire Anso Labs
• CouchOne and Membase merge as Couchbase

The Firefox developers have updated their browser roadmap and plan to release versions 4 through 7 of the browser this year. Nuxeo, the French provider of ECM (Enterprise Content Management) systems, announced that it is handing its Nuxeo Core content repository technology over to the Eclipse Foundation, and the TIOBE Index showed that although Java and C remain the most popular programming languages both Python and C# are gaining in popularity.

• Four more major Firefox releases in 2011
• Eclipse gets a CMIS-enabled content repository
• TIOBE Index: Python more popular than PHP

Open Source Releases

• OpenSSH 5.8 addresses legacy certificate signing vulnerability
• Transmission 2.20 BitTorrent client brings improved IPv6-only tracker support
• Google releases Chrome 9 security update
• WordPress 3.0.5 addresses security vulnerabilities
• VMware releases Zimbra 7
• Google open sources Contracts for Java
• jBPM 5 supports BPMN 2.0
• Songbird 1.9 improves performance for large libraries
• Ruby on Rails updates fix security holes
• Second stable branch of Node.js arrives
• Feature release Android 2.3.3 adds NFC
• Version 3 of the GTK+ used by GNOME and GIMP has been released
• Third PC-BSD 8.2 release candidate issued
• Wine 1.3.13 adds tools for creating MSI installers
• Ninja, a replacement for make, in Chrome's build system
• Firefox 4 Beta 11 adds "Do Not Track" capabilities

Security

At the ShmooCon hacker conference this week, security expert Jon Larimer showed that Linux too can be attacked by USB worms. Google's opening of the Android Market on the internet was shown to introduce a possibility of remote installation of malware. Facebook dealt with incompatibilities between its recently introduced encryption and certain third party applications by offering the user a choice to switch to unprotected http, but without telling the user it was permanently turning https off. Fraunhofer researchers Jens Heider and Matthias Boll showed it was still possible to read passwords from an iPhone that had been locked with a passcode. Mac security experts Dino Dai Zovi and Charlie Miller demonstrated a further zero day exploit for the 64-bit version of Safari 5.

• Linux vulnerable to USB worms
• Android Market poses remote installation risk
• Facebook's crude https workaround
• Lost iPhone = lost passwords
• Security vulnerability demonstrated in Safari

Microsoft announced the RTM of SP1 for Windows 7 and Server 2008. General distribution of SP1 starts on 22 February. Microsoft also released a patch via Windows Update that modifies the AutoPlay dialogue, for USB flash drives and other mobile storage media, to help reduce the spread of malware that propagates through AutoRun. IE9 RC, released this week, now includes Tracking Protection controls.

• Service Pack 1 for Windows 7 and Server 2008 is ready
• This is the (partial) end of Windows AutoRun
• Microsoft releases IE9 RC with Tracking Protection

Less than two weeks after OpenSSH 5.7 arrived, version 5.8 / 5.8p1 of the open source SSH (Secure Shell) implementation was released to address a legacy certificate signing vulnerability. WordPress released version 3.0.5 to address several security vulnerabilities in the open source blogging and publishing platform that could lead to, for example, privilege escalation. Adobe patched various vulnerabilities with the release of Flash Player 10.2 and updates for Reader X and 9.4.1, Acrobat X, ColdFusion and the Shockwave player, to patch a multitude of holes. Google released an update to Chrome 9 to patch several high risk vulnerabilities and the phpMyAdmin developers released version 3.3.9.1 and 2.11.11.2 of their database administration tool to fix a path disclosure vulnerability.

• OpenSSH 5.8 addresses legacy certificate signing vulnerability
• WordPress 3.0.5 addresses security vulnerabilities
• Adobe releases Flash Player 10.2, patches vulnerabilities
• Google releases Chrome 9 security update
• phpMyAdmin updates close security vulnerability

Security Alerts

• ZDI names and shames security vulnerabilities from Microsoft, IBM, HP and Novell
• Over two years and no fix for Java
• Microsoft closes critical holes in Windows, IE and IIS
• Oracle warns of Java vulnerability
• Plone CMS patch close security vulnerability
• Ruby on Rails updates fix security holes

For all of last week's news see The H's last seven days of news and to keep up with The H, subscribe to the RSS feed, or follow honlinenews on Twitter. You can follow The H's own tweeting on Twitter as honline.

(crve)