Dotan Cohen wrote:
I know that News.com is one of those Microsoft cronies, but I quote:
"A serious vulnerability has been found in the popular KDE open-source
software bundle. The flaw, deemed "critical" by the research outfit
the French Security Incident Response Team, could allow a remote
attacker to gain control over vulnerable systems."
From here:
http://news.com.com/KDE+flaws+put+Linux,+Unix+systems+at+risk/2110-1002_3-6029297.html
I'm not subscribed to fedora security lists, I'll go sign up now, but
That's probably more imortant than this one:-)
I'd like a little info from you guys, as I trust you (certain names
like Dalloz, Rahul and others come to mind). Thanks.
Now the dust has settled a little, I'll make some points:
1. On Linux one normally has a choice of browsers, and a lot of Linux
people don't use Konqueror.
2. The attacker has to get you to visit their site. Typically, this
would be from a phishing attack or an offer of software that does more
than the docs say (think trojan) or similar mass coercion.
I'd guess that "remove me," "buy now" links and links to external images
would provide the vectors. Rmail clients I've seen on Linux default to
no downloading external images.
3. A successful attack means, at worst, a stranger gets to run malicious
code with your privileges. Unless you do stuff as root, their chances of
taking over your machine aren't great (provided you're reasomably
current with your patches). Potentially, they could get some financial
details including passwords, and email address. They are more likely to
want to use it for
3a Port scanning others
3b Sending bulk commercial email
3c Controlling others doing 3a or 3b.
Now, how would you set about getting control of lots of boxes?
Port scanning is easy, and you don't have to find Linux users - your
port scanner just enumerates open ports and then you mount attacks based
on what you see. Or, you have a bunch of attacks and you just try them
all (the victim will be less likely to notice a port scan).
Phishing and similar will get a fairly low response rate: if you agree
Linux users comprise about 5% of the universal set (probably generous),
KDE about half of those, and maybe half of those don't use Konqueror
because they don't like it....
It's not impossible, of course, and it may well be that a website
targetting Konqueror exists, but if I had one, it would be detecting the
browser and returning content particular to that browser, and that means
Internet Exploder users would be much more at risk.
You can argue with my numbers (easily, they're mostly guesses), but I
don't think they're too wildly wrong, but the point that matters most is
that Linux users aren't a prime or easy target, and the fact these
critical problems exist does not mean that anyone actually targets them.
Which isn't to say they shouldn't be fixed ASAP, and Linux vendors are
pretty good there.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
