On 1/24/06, John Summerfied <debian@xxxxxxxxxxxxxxxxxxxxxx> wrote: > Dotan Cohen wrote: > > I know that News.com is one of those Microsoft cronies, but I quote: > > "A serious vulnerability has been found in the popular KDE open-source > > software bundle. The flaw, deemed "critical" by the research outfit > > the French Security Incident Response Team, could allow a remote > > attacker to gain control over vulnerable systems." > > > >>From here: > > http://news.com.com/KDE+flaws+put+Linux,+Unix+systems+at+risk/2110-1002_3-6029297.html > > > > I'm not subscribed to fedora security lists, I'll go sign up now, but > > That's probably more imortant than this one:-) > > > I'd like a little info from you guys, as I trust you (certain names > > like Dalloz, Rahul and others come to mind). Thanks. > > > Now the dust has settled a little, I'll make some points: > 1. On Linux one normally has a choice of browsers, and a lot of Linux > people don't use Konqueror. > 2. The attacker has to get you to visit their site. Typically, this > would be from a phishing attack or an offer of software that does more > than the docs say (think trojan) or similar mass coercion. > > I'd guess that "remove me," "buy now" links and links to external images > would provide the vectors. Rmail clients I've seen on Linux default to > no downloading external images. > > 3. A successful attack means, at worst, a stranger gets to run malicious > code with your privileges. Unless you do stuff as root, their chances of > taking over your machine aren't great (provided you're reasomably > current with your patches). Potentially, they could get some financial > details including passwords, and email address. They are more likely to > want to use it for > 3a Port scanning others > 3b Sending bulk commercial email > 3c Controlling others doing 3a or 3b. > > Now, how would you set about getting control of lots of boxes? > Port scanning is easy, and you don't have to find Linux users - your > port scanner just enumerates open ports and then you mount attacks based > on what you see. Or, you have a bunch of attacks and you just try them > all (the victim will be less likely to notice a port scan). > > Phishing and similar will get a fairly low response rate: if you agree > Linux users comprise about 5% of the universal set (probably generous), > KDE about half of those, and maybe half of those don't use Konqueror > because they don't like it.... > > It's not impossible, of course, and it may well be that a website > targetting Konqueror exists, but if I had one, it would be detecting the > browser and returning content particular to that browser, and that means > Internet Exploder users would be much more at risk. > > You can argue with my numbers (easily, they're mostly guesses), but I > don't think they're too wildly wrong, but the point that matters most is > that Linux users aren't a prime or easy target, and the fact these > critical problems exist does not mean that anyone actually targets them. > > Which isn't to say they shouldn't be fixed ASAP, and Linux vendors are > pretty good there. > > Cheers > John > Are you kidding? this was fixed two days before I heard about it. WMF was fixed a week after I heard about it. http://technology-sleuth.com/technical_answer/why_are_internet_greeting_cards_dangerous.html
