Dyreza Malware is Back

The Proofpoint security firm reports that attackers have shifted the focus of the powerful Dyreza malware tool to operate outside of the banking sector. Dyreza gained fame as a man-in-the-middle banking trojan used to steal passwords for online banking accounts. Proofpoint reports that Dyreza is increasing attacking fulfillment services for online shopping sites.

According to a report in the Register, Dyreza uses "Word macros to compromise phished users in what is an old attack vector that has gained latent popularity."

Kernel Developer Matthew Garrett Forks the Linux Kernel

Prominent Linux kernel developer Matthew Garrett announced he is forking the Linux kernel. Garrett, who was instrumental in exposing the problems with Linux compatibility in UEFI secure boot a few years ago, says he is frustrated with the disrespect and argumentative tone of the Linux development community.

In his personal blog, Garrett writes, "I remember having to deal with interminable arguments over the naming of an interface because Linus has an undying hatred of BSD securelevel, or having my name forever associated with the deepthroating of Microsoft because Linus couldn't be bothered asking questions about the reasoning behind a design before trashing it."

Kernel leader Linus Torvalds has come under fire in the past for using harsh language and negative criticism. Another noted kernel developer, Sarah Sharp, who was the Linux kernel coordinator for the FOSS Outreach Program for Women and maintainer of the USB 3.0 host controller driver, also dropped out of the kernel community recently for similar reasons. In her own blog post, Sharp does not single out Linus specifically but takes on the whole kernel culture. "I could not work with people who helpfully encouraged newcomers to send patches, and then argued that maintainers should be allowed to spew whatever vile words they needed to in order to maintain radical emotional honesty. I did not want to work professionally with people who were allowed to get away with subtle sexist or homophobic jokes … ."

Time will tell if these recent defections will cause a change in kernel community attitudes. Both Sharp and Garrett seem to doubt that reform will come anytime soon. The presence of an alternative kernel development tree maintained by a programmer of Garrett's stature and experience certainly adds a new dimension to the drama. Forks happen from time to time in the open source community, which is both the curse and the magic of Free Software. The question is, does Garrett really want to start an alternative development effort, or does he just want to implement his own changes without the tension and theater of the Linux kernel development war zone.

Bugzilla Bug

The Bugzilla bug database system has a flaw that could allow an attacker to access the database and read about potential exploits before the patch is released to the public. The problem affects Bugzilla implementations that use email-based permissions. Login names longer than 127 characters are "silently truncated in MySQL," which could allow an attacker to assign permissions to an email address that is different from the address originally requested.

The fix for this bug is included in the Bugzilla 4.2.15, 4.4.10, and 5.0.1 releases. All Bugzilla users are encouraged to upgrade.