Security Briefs

Patent Issue for Liberty Alliance; New Window Vulnerability Found; PDFs Threaten Unix, Linux; CipherShare Product Secures Windows Assets

AOLTW Could Enforce Patents For Liberty Alliance Specification
According to a report last week from IDG News Service, AOL Time Warner has claimed rights to certain technology in the Liberty Alliance 1.0 specification for building single sign-on identity systems. Although AOL has pledged to provide users free access to its contributions to the Liberty spec’s first release, the company has not yet decided how it will handle licensing for future versions.

While AOLTW is just one of a number of companies to contribute to the development of the Liberty spec, it is the only representative of the 120-member consortium controlling the project to claim rights to its technology under a RAND (reasonable and nondiscriminatory) license. RAND licenses require that any intellectual property owner that charges royalties for technology included in a standard must charge a fee that is reasonable, published, and not subject to individual negotiation. Should AOLTW ultimately decide to charge a fee protected under this RAND license, it would be doing so in the face of promises by the Liberty Alliance to provide users and open and royalty-free specification for single sign-on identity.

Microsoft Warns of Vulnerability in Help Function of Window OS
Microsoft Corp. has issued a new security patch to protect against flaws in the help facility of most versions of Windows. The vulnerability, says Microsoft, could allow an attacker to take control of a user's PC. The flaw was given a "critical" severity rating by the company, which recommends users of Windows 98, Windows Me, Windows NT 4.0, Windows 2000 and Windows XP download the patch and install it immediately.

The patch is available at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-055.asp.

PDFs Pose Threat to Unix and Linux
iDefense Inc., an IT security company, has released an advisory stating that PDF and PostScript viewing tools commonly distributed with Unix and Linux operating systems contain a security flaw that may enable attackers to use PDF and PostScript files to run malicious code. Specifically, the open-source viewing programs, named gv, kghostview and ggv, are packaged with popular versions of the Linux operating systems including those by Red Hat Inc. and the Debian Project, as well as common flavors of Unix such as those by Sun Microsystems Inc. The flaw in these programs allow an attacker to initiate a buffer overflow through a corrupt PDF or PostScript file, which could in turn be used to run malicious code.

The complete advisory is available at www.idefense.com/advisory/09.26.02.txt.

CipherShare Release PKI Tool for Windows Apps
CipherShare Systems Inc. has released a PKI security device called WorkSafe, which proposes to lock down digital assets from any Microsoft Windows application so that organizations can provide common access to documents without compromising security. The solution is designed to work in conjunction with existing corporate security measures, such as firewalls and virtual private networks, to provide authentication and encryption for Windows-based assets.

More product information is available at www.kastenchase.com
[Kasten Chase is a data security company that acquired CipherShare in March 2003].

About the Author

Matt Migliore is regular contributor to ENTmag.com. He focuses particularly on Microsoft .NET and other Web services technologies. Matt was the editor of several technology-related Web publications and electronic newsletters, including Web Services Report, ASP insights and MIDRANGE Systems.