Fedora 18 security questions.

Fri Mar 22 02:52:22 UTC 2013

Roger writes:

> « HTML content follows »
>
> On 03/22/2013 11:36 AM, Reindl Harald wrote:
>> Am 22.03.2013 00:56, schrieb Sam Varshavchik:
>>>  
>>> Even let's hypothetically say there's an exploit in Firefox that can be us 
>>> ed to inject executable code, through a
>>>  
>>> malicious web page, once running the code will have no way to overwrite Fi 
>>> refox's binary executable, and implant
>>>  
>>> itself in Firefox, or any other operating system executable. As soon as yo 
>>> u log out or reboot, it's gone. The scope
>>>  
>>> of the damage is limited to wiping files in your home directory, and that' 
>>> s about it
>>
>> this as a very naive point of view
>> you do not need to change system-binaries
>>
>> it is enough to place you executeable in the userhome, start
>> it with the desktop and let connect it to a remote-server to
>> have a shell and break any privacy of the user
>>
>> how many users would recognize such intrusion?
>>
>>
> OK! so how does one recognise such an intrusion? What should one look for?

Well, for starters, if you see some mysterious executable file on your  
desktop, the last thing you will want to do is execute it. That's it.

Now, I suppose that this attack might work if the malware fscks around with  
your $HOME/.profile, and uses it to launch itself when you log in. But  
before anyone starts hiding under their bed, and cowering in fear: if this  
mode of attack even begins to gain any traction, the first time someone sees  
some malware doing crap like that, two things will probably happen:

1) Within 2-3 days the hole in Firefox will get patched, and pushed out.

2) The next release of every Linux distro will simply make the necessary  
arrangements to run Firefox under a separate UID that has no write  
privileges to your login account's home directory (and provide some  
meaningful way to have downloaded files go into the dedicated UID's own home  
directory, with read privileges that let you copy over any legitimately- 
downloaded files to your own desktop, securely.

It's simply not worth anyone's hassle to jump through their arseholes, in  
order to set up a walled-off Firefox that runs like this right now, because,  
frankly, this is not a problem as of now. But as soon as – if ever –  
Firefox on Linux gains enough mind share to present itself a target for  
malware, and acquires a hole-ridden security rap sheet, with malware  
beginning to take advantage of that, and target Linux, then this is simply  
what's going to happen, and everyone will go back to sleep, again.

I started giving my wife, who knows zilch about computers, a series of Linux- 
runnning laptops almost ten years ago. She does whatever the hell she wants  
with it. Flash, browse whatever sites she wants (that reminds me, what I  
said re Firefox, above, applies equally well to Flash running inside  
Firefox), and her progression of laptops is yet to catch any malware.

So, calm down, and keep your shorts on.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130321/f5d9d648/attachment.sig>