The K Desktop Environment (KDE) Project has released a new version of its widely used Unix and Linux desktop software, fixing several security flaws, and adding new accessibility and information-management features.
Also this week, IBM announced a support deal with Novell intended to speed up development of applications for Novell's Suse Linux platform.
KDE 3.4 fixes several security bugs, including a phishing flaw with the Konqueror browser, the KDE Project said.Konqueror, KDE's built-in Web browser, has supported a technology called International Domain Names (IDN) since version 3.2, but this technology leaves Konqueror open to a phishing technique known as a homograph attack, KDE said.
A homograph attack uses certain international characters that have a strong resemblance to other characters - called homographs - to create malicious web addresses that appear identical to trusted addresses.
"This makes it possible for a website to use a domain name that is technically different from another well known domain name, but has no or very little visual differences," KDE said in an advisory. "This lack of visual difference can be abused by attackers to trick users into visiting malicious websites that resemble a well known and trusted website in order to obtain personal information such as credit card details."
To fix the problem, the version of Konqueror included in KDE 3.4 uses a whitelist of domains for which IDN is safe to use because the registrar for the domains has implemented anti-homographic character or other anti-spoofing policies, KDE said.
Another flaw is found in the dcopidlng script, and can allow malicious users to escalate their system privileges. A third, less serious bug, found in the the authentication process in the DCOP (Desktop Communication Protocol) daemon dcopserver, could be exploited locally to lock some system processes for other local users.
In addition to these problems, Danish security firm Secunia has identified a spoofing flaw in Konqueror that hasn't yet been patched. Because long sub-domains and paths aren't displayed correctly, a malicious user could spoof the source displayed in the Download dialogue box, Secunia said. The only workaround is not to follow untrusted links, Secunia said.
Besides bug-fixes, KDE includes enhancements to its Text-to-speechnframework, allowing for partially-sighted and speech-impaired people to interact with many applications via voice. New high-contrast themes are also designed to aid the partialy-sighted. KDE's personal information management suite, Kontact, and the Kopete instant-messenger client have usability improvements, KDE said. A complete list of new features is available from KDE.
Linux application support
The deal between Novell and IBM, announced this week, gives independent software vendors (ISVs) access to technical resources and expertise from nine of IBM's Innovation Centres in North America, Europe and Asia. The plan is designed to make it easier for ISVs to certify their applications for Suse Linux on IBM hardware and software, stimulating the Linux ISV market, the companies said. IBM created a similar programme for Red Hat last year.
Novell will provide ISVs with Suse's enterprise Linux and documentation, and has created an online registration process. The IBM centres taking part are in the USA, the UK, France, Germany, India, China and Australia.