The H Week - TPM and Chip and PIN cracked
Some significant 'cracks' for this week; an American researcher has extracted TPM keys by opening chips and tapping in to the internal buses and a University of Cambridge team has been able to fool a Chip and PIN system into accepting any 4 numbers as a valid PIN. OpenOffice promises more stable and swift operation with version 3.2 but, while well established in Germany, it has yet to win a similar following elsewhere. Mozilla was mildly embarrassed by its warnings of poisoned add-ons and a basic security bug was found in GNOME.
Features
The H published two features this week and another issue in the Kernel Log series covering what's coming in Linux 2.6.33. The feature 'Android versus Linux' examined the issues which can occur if a developer starts maintaining their own development tree for the Linux kernel, while in our second feature we took a look at the latest KDE desktop.
Open Source
On a nation-by-nation basis, adoption of the free office suite OpenOffice is particularly uneven with the biggest uptake being in Germany, according to Webmasterpro. The release of the new, faster, more stable, version 3.2 may help balance this out. Oracle backtracked over closing Kenai, blaming poor communication and said Kenai will live on in java.net. Sourceforge backed down on blanket blocking access from countries affected by US export regulations. Matt Asay moved from Alfresco to become Canonical's new COO and Facebook added support for the open XMPP standard to Facebook Chat.
- OpenOffice adoption: Germany leads while UK and US lag
- OpenOffice 3.2: more stability, more speed
- Confusion over Sun's Kenai hosting platform
- SourceForge turns off "blanket blocking"
- Matt Asay becomes Canonical COO
- Facebook Chat moves to XMPP/Jabber standard
Open Source Releases
- Pre-release version of Red Hat Enterprise Linux 5.5
- GNOME 2.30 Beta released
- Pinta: Paint.NET clone for Linux and Mac OS X
- eXo releases open source CMIS implementation
- Apache Ant updated to 1.8
Security
The H week closed with the news that security researchers had discovered a means of completing a 'Chip and PIN' transaction using any four digits as a valid PIN. Earlier in the week came news of an American researcher who had broken the security of TPM chips by slicing them open and connecting to their internal data buses. Oracle released an unscheduled patch for a critical vulnerability in the WebLogic Server Node Manager. Mozilla warned its users of two add-ons it thought contained malware and then had to admit it was wrong about one of them. A bug has been found in the GNOME desktop that on many systems means that desktop locking can be easily bypassed.
- Hacker extracts crypto key from TPM chip
- Unscheduled patch from Oracle
- Infected add-ons found on Mozilla download site
- Mozilla admits to add-on malware false alarm
- GNOME screen lock ineffective in openSUSE Linux
- PIN check in EMV protocol for EC and credit cards bypassed
Security Alerts
- Vulnerability in Samba provides access to files
- Critical vulnerability in Novell's NetStorage
- Further holes despite Microsoft's huge patch series
- Adobe apologises for unpatched Flash vulnerability
- Adobe fixes critical vulnerability in Flash
- Cisco closes critical holes in IronPort Appliances
To see all last week's news see The H's last seven days of news and to keep up with The H, subscribe to the RSS feed, or follow honlinenews on Twitter. You can follow The H's own tweeting on Twitter as honline.
(trk)