Re: Whats with the KDE exploit? Is Fedora patched?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dotan Cohen wrote:

I know that News.com is one of those Microsoft cronies, but I quote:
"A serious vulnerability has been found in the popular KDE open-source
software bundle. The flaw, deemed "critical" by the research outfit
the French Security Incident Response Team, could allow a remote
attacker to gain control over vulnerable systems."


From here:

http://news.com.com/KDE+flaws+put+Linux,+Unix+systems+at+risk/2110-1002_3-6029297.html

I'm not subscribed to fedora security lists, I'll go sign up now, but


That's probably more imortant than this one:-)


I'd like a little info from you guys, as I trust you (certain names
like Dalloz, Rahul and others come to mind). Thanks.



Now the dust has settled a little, I'll make some points:
1. On Linux one normally has a choice of browsers, and a lot of Linux people don't use Konqueror. 2. The attacker has to get you to visit their site. Typically, this would be from a phishing attack or an offer of software that does more than the docs say (think trojan) or similar mass coercion.
I'd guess that "remove me," "buy now" links and links to external images would provide the vectors. Rmail clients I've seen on Linux default to no downloading external images.
3. A successful attack means, at worst, a stranger gets to run malicious code with your privileges. Unless you do stuff as root, their chances of taking over your machine aren't great (provided you're reasomably current with your patches). Potentially, they could get some financial details including passwords, and email address. They are more likely to want to use it for 
3a Port scanning others
3b Sending bulk commercial email
3c Controlling others doing 3a or 3b.

Now, how would you set about getting control of lots of boxes?
Port scanning is easy, and you don't have to find Linux users - your port scanner just enumerates open ports and then you mount attacks based on what you see. Or, you have a bunch of attacks and you just try them all (the victim will be less likely to notice a port scan).
Phishing and similar will get a fairly low response rate: if you agree Linux users comprise about 5% of the universal set (probably generous), KDE about half of those, and maybe half of those don't use Konqueror because they don't like it....
It's not impossible, of course, and it may well be that a website targetting Konqueror exists, but if I had one, it would be detecting the browser and returning content particular to that browser, and that means Internet Exploder users would be much more at risk.
You can argue with my numbers (easily, they're mostly guesses), but I don't think they're too wildly wrong, but the point that matters most is that Linux users aren't a prime or easy target, and the fact these critical problems exist does not mean that anyone actually targets them.
Which isn't to say they shouldn't be fixed ASAP, and Linux vendors are pretty good there. 



--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

do not reply off-list
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux