Mate 1.1 Arrives

The Mate desktop team has announced the arrival of the Mate 1.1 desktop. Mate, which is largely supported by the Mint project, has gained a significant share of the Linux desktop market since it first appeared in 2011. Mate is a fork of the Gnome 2 desktop and was launched when the Gnome team abandoned Gnome 2 development to focus on Gnome 3. The move was controversial at the time, with many users expressing a preference for Gnome 2, but the Gnome team chose not to divide their efforts, which led to an opening for a new project that would provide a continuation of the Gnome 2 code.

The big news for the latest version 1.1 is that Mate now supports both the GTK2 and GTK3 development environments, so users can have the best of both Gnome 2 and Gnome 3. (The developers emphasize that GTK3 support is still experimental.)

Mate originally rocketed to public attention through its association with the popular Mint project, but since then, several other leading Linux distros have included Mate in their package repositories. Mate 1.1 has been in development for 15 months. For more information on the new release, see the announcement at the Mate project website.

RIP SSLv3

The venerable "secure" network protocol Secure Sockets Layer (SSL) v3 has met its end. SSL has co-existed on the Internet alongside its presumed successor TLS for many years, even though experts have long warned of its shortcomings. A recent rash of high-profile incidents, however, including the famous POODLE exploit, have finally caused the Internet Engineering Task Force (IETF) to take action. Request for Comment (RFC) 7568 "Deprecating Secure Sockets Layer Version 3.0" officially states the requirement that SSLv3 should not be supported.

The RFC is unusually blunt, with its all-cap stipulation that "SSLv3 MUST NOT be used." Although most systems today support the safer TLS, many provide fallback support for SSLv3 if an SSL connection is requested. Attackers have perfected the technique of requesting an SSL connection then use one of the many exploits associated with SSL. RFC 7568 states that "Any party receiving a Hello message with the version set to {3,00} MUST respond with a 'protocol_version' alert message and close the connection."

Many OS and application vendors have already turned off support for SSLv3 through patches and security updates.

NoScript Flaw

Security researchers have discovered a major flaw with Mozilla's popular NoScript security add-on. NoScript is supposed to create an environment where JavaScript, Java, and other executable content can only run in scripts that come from a trusted domain.

According to Detectify researcher Linus Särud, NoScript whitelists the entire googleapis.com domain and any subdomain, which means an attacker could create a nefarious script that uses Google services APIs to bypass NoScript. The discovery follows an earlier project by Matthew Bryant, who successfully launched an attack that bypassed whitelist protections.

It isn't clear whether attackers are already using this technique. The discovery challenges the prestige of the Mozilla NoScript plugin, which bills itself as "The best security you can get in a web browser!" According to a report in The Register, the NoScript team immediately responded by adapting the tool to whitelist only Google's hosted libraries at ajax.googleapis.com, which should reduce the threat, although it might require more intervention from the user to get any necessary legitimate sites whitelisted.

Users are encouraged to install updates. Bryant adds, "Please purge your whitelist. Remove everything you don't trust."