LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-02-2008, 11:25 AM   #1
Odyssey1942
Member
 
Registered: Jul 2006
Posts: 287

Rep: Reputation: 30
Risk of allowing Flash in Linux?


I'm 90% moved from Windoze to Unbuntu Linux, and still have basic questions. I understand that changes of a fundamental nature require elevation to root equivalent for approval.

I also understand that the ease of use of Windoze is in part dependent on similar fundamental changes being allowed without specific approval. To mitigate against unwelcome scripts running in XP, I use NoScript in my Firefox browser and find it highly effective.

My question has to do with allowing Flash to run in Firefox in Ubuntu. By allowing Flash to run without authorization in each instance, does one also allow the possibility of something untoward occurring as a part of that event?

Part of my problem is a basic lack of understanding of exactly what scripts, java, javascript, ajax and flash are and do, and what the degree of relative risk of each is. If anyone knows of a net resource/tutorial on this subject or can dash off a brief synopsis, this would be greatly appreciated.

TIA
 
Old 11-02-2008, 12:04 PM   #2
SkyEye
Member
 
Registered: Sep 2005
Location: Sri Lanka
Distribution: Fedora (workstations), CentOS (servers), Arch, Mint, Ubuntu, and a few more.
Posts: 441

Rep: Reputation: 40
Well, this can take a longer post. But to make it short let's say this.

There's not much threat as far as an end user is concerned from Flash unless there's a serious security flow in the Flash software (Eg: Adobe Flash Player, Gnash, etc.). I don't think you should worry much about it unless you need an extremely locked down environment.

Don't fret that much. I've been using 100% Linux for years and haven't had much security concerns related to Flash.
 
Old 11-02-2008, 12:06 PM   #3
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285
You should use Flashblock extension that way you can selectively allow flash to run.
 
Old 11-02-2008, 12:31 PM   #4
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 115Reputation: 115
Noscript can be set to block flash by default - giving you the choice to click on the flash object if you want to run it. This is how I do it.

Flash does collect uniquely identifiable information about you and your browsing habits, and can be induced to reveal that information to anyone who asks nicely.

You will find its cache of information in ~/.macromedia. If you visit the flash homesite and look around for awhile, you will find a tool (in flash, naturally) which is supposed to properly set your preferences regarding information cached about what/where you have visited. I have found that tool to be less than satisfactory (and you have to hunt for it anyway) and have dealt with my problem by deleting the entire contents of .macromedia, then by setting the permissions on .macromedia to 000 so that no program can access it.
 
Old 11-02-2008, 01:28 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by SkyEye View Post
There's not much threat as far as an end user is concerned from Flash unless there's a serious security flow in the Flash software (Eg: Adobe Flash Player, Gnash, etc.).
"Unless..." Nice hedge. Unfortunately it doesn't work since there have been some.
A CVE search for "Adobe Flash" should tell.
Also note that with Flash the risk isn't solely in the SW but also stuff like scripting.


Quote:
Originally Posted by SkyEye View Post
I don't think you should worry much about it unless you need an extremely locked down environment.
Shouldn't this part instead talk about *NIX architecture vs World (privilege separation)?..
 
Old 11-02-2008, 02:04 PM   #6
SkyEye
Member
 
Registered: Sep 2005
Location: Sri Lanka
Distribution: Fedora (workstations), CentOS (servers), Arch, Mint, Ubuntu, and a few more.
Posts: 441

Rep: Reputation: 40
Wink

Quote:
Originally Posted by unSpawn View Post
"Unless..." Nice hedge. Unfortunately it doesn't work since there have been some.
A CVE search for "Adobe Flash" should tell.
Also note that with Flash the risk isn't solely in the SW but also stuff like scripting.
Ah, well. Not only Flash player, but even Adobe Reader (probably more than Flash) had and will continue to have serious security issues. But does that mean we have to stop using software who happened to have versions which were exploitable. If that's the case no major software would be fit for use, not even OpenBSD, and the Internet would be void of Sendmail servers. We all know that it's not the case, at least not realistic.

I'm not particularly a fan of Flash and might be able to live without it for a while. But regardless of how much you and I dislike (and it's *not* Open Source either), Flash is mostly inevitable on the Web these days. So either we have to use it or replace it. I agree with you, I did have that 'hedge' and it was deliberate.

Seeing a threadful of members being this concerned about security is refreshingly good. I just didn't want Odyssey1942 to be scared away. That's why I said using Flash shouldn't be something to worry about unless a locked down environment is needed.

Quote:
Originally Posted by unSpawn View Post
Shouldn't this part instead talk about *NIX architecture vs World (privilege separation)?..
I'm not entirely sure what you meant by this. Perhaps you are mentioning things like sandboxing (Eg: JVM, etc.) and MAC (Eg: SELinux, grsecurity, etc.)?

Didn't want to be rude or hostile, just wanted to do a little clarification. BTW, it's a great thing you criticised my post. My post must have been ambiguous and clearly based on some assumptions regarding what he expected. Thanks.

Last edited by SkyEye; 11-02-2008 at 02:08 PM.
 
Old 11-02-2008, 02:09 PM   #7
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285
You can try gnash instead of adobe flash player, it works reasonably well, almost all youtube videos play, and most buttons show up (some without text tho). It's not that bad. I use it once in a while to test it.
 
Old 11-03-2008, 07:58 AM   #8
Odyssey1942
Member
 
Registered: Jul 2006
Posts: 287

Original Poster
Rep: Reputation: 30
Thanks all. Very helpful. Have now installed NoScript (didn't realize there was a linux version), am reasonably familiar with it, and this lowers my anxiety.

I still have a question about how these scripts can be effective in a linux system if the user is not operating as root. Anytime I attempt anything that is possibly questionable, I have to sign in as administrator. Can scripts side-step this requirement and install some sort of malware (regardless of where the vulnerablility is)?Thank you both. khafa, that wiki reference was very informative and loaded with great references. Will keep me busy for awhile.
 
Old 11-03-2008, 06:05 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by SkyEye View Post
Ah, well. Not only Flash player, but even Adobe Reader (probably more than Flash) had and will continue to have serious security issues. But does that mean we have to stop using software who happened to have versions which were exploitable.
No, it should just serve as a reminder. The impact of a daemon like Sendmail having vulnerabilities has different implications as opposed to a piece of software people don't even perceive as software. After all with Flash you're only seeing the (effect of the) rendered result. Everything beneath it like scripting remains hidden.


Quote:
Originally Posted by SkyEye View Post
Didn't want to be rude or hostile, just wanted to do a little clarification.
You've not been rude or hostile at all and it's a good thing you tried to give it to him the non-scary way (I might learn from that as well). What I've posted isn't critique, just to counter the effects of you chosing to take the short road ;-p The *NIX architecture part is about privilege separation, like how the actions of an unprivileged user affect the machine (or don't) as opposed to using privileged accounts. Of course if you use the 'net as unprivileged user then if your valuable data gets hijacked no privilege separation will save you...



Quote:
Originally Posted by Odyssey1942 View Post
Part of my problem is a basic lack of understanding of exactly what scripts, java, javascript, ajax and flash are and do, and what the degree of relative risk of each is. If anyone knows of a net resource/tutorial on this subject or can dash off a brief synopsis, this would be greatly appreciated.
There's a few things you should be off searching for like Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF). Here's two links to get you started: The Cross Site Scripting FAQ: www.cgisecurity.com/articles/xss-faq.shtml and The Cross-Site Request Forgery FAQ: http://www.cgisecurity.com/articles/csrf-faq.shtml.

If you *really* want to get into things you should understand that the definition of "malware" differs depending on using mcrsft or GNU/Linux due to architecture. To get deeper into things you could do with some basic knowledge of browsers and rendering, the Document Object Model, Java/ECMAscript, tenets of secure coding (don't trust users, filter input, escape output), webservers (protocols, dynamic parsing, sessions), PHP (file inclusion, remote file execution), SQL (injection), Flash (actionscript), any other web application or plugin that allows for scripting and "upcoming" usage like AJAX. It looks like a huge task, but if you're hungry for nfo already then you know that just reading one piece a time will gain you knowledge in time. OTOH you might as well start with some "fun" and read http://www.gnucitizen.org/...


Quote:
Originally Posted by Odyssey1942 View Post
khafa, that wiki reference was very informative and loaded with great references.
Huh? I haven't seen any "khafa" reply in this thread?

Last edited by unSpawn; 11-03-2008 at 06:21 PM. Reason: Forgot one.
 
Old 11-03-2008, 07:48 PM   #10
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 7,151

Rep: Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203
The first, and utterly most-basic, requirement for any software that is allowed to exist "around here" is that nothing may require a root-password to be entered. Period. Not for any reason.

Therefore, the Flash player (or whatever it is...) can only run with the user's own (limited...) privileges. If it cannot do that, it cannot run.

Whether you are dealing with Linux or Windows or OS/X (exactly the same principles apply in all three cases), always remember "the principle of least privilege." There is absolutely no reason to give the valet who parks your car the keys to your house and your safe-deposit-box, let alone the keys to your car's trunk or glove-compartment. If the valet makes any such unreasonable demand, go find a different parking-lot or restaurant.
 
Old 11-04-2008, 08:37 AM   #11
Odyssey1942
Member
 
Registered: Jul 2006
Posts: 287

Original Poster
Rep: Reputation: 30
You guys are the sort that give forums a good name. This has been very informative and helpful. Thanks very much and for any more that follow.

unSpawn, being a beginner, I normally have several issues that I am dealing with and often have more than one post going. I usually compose my posts in a text editor, then copy and paste into the thread. In that case, I inadvertently picked up a post for an earlier thread. Apologies for any confusion.
 
Old 11-04-2008, 02:09 PM   #12
beiller
LQ Newbie
 
Registered: Nov 2008
Posts: 22

Rep: Reputation: 15
Yes I have had nothing but good experiences with flash (even flash 10 beta linux) although the full screen video was slow until I upgraded my CPU.

I think you are confusing flash with ActiveX in windows which was able to do some nasty things
 
Old 11-04-2008, 02:18 PM   #13
rickh
Senior Member
 
Registered: May 2004
Location: Albuquerque, NM USA
Distribution: Debian-Lenny/Sid 32/64 Desktop: Generic AMD64-EVGA 680i Laptop: Generic Intel SIS-AC97
Posts: 4,250

Rep: Reputation: 61
Quote:
Originally Posted by beiller View Post
Yes I have had nothing but good experiences with flash (even flash 10 beta linux) although the full screen video was slow until I upgraded my CPU.

I think you are confusing flash with ActiveX in windows which was able to do some nasty things
What turnip truck did you fall off?
 
Old 11-04-2008, 02:29 PM   #14
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,063

Rep: Reputation: 381Reputation: 381Reputation: 381Reputation: 381
Quote:
Originally Posted by beiller View Post
Yes I have had nothing but good experiences with flash (even flash 10 beta linux) although the full screen video was slow until I upgraded my CPU.
If you ever had to use a dialup modem you wouldn't see flash a a good thing.

Also, what happens if you use an unsupported platform? Is not the web supposed to be accessible by anyone? That's not the case, since the plugin only works on a very limited number of architectures and OSes.

It might look good for you, but it's definitely an obstacle in the way of accessibility.

Quote:
I think you are confusing flash with ActiveX in windows which was able to do some nasty things
Not really, any vulnerable program is exposed. And those who provide an scripting interface are even more. The flash language (ActionScript or something like that) is not an exception. Neither is javascript which is broadly used in a big percentage of sites. That's why it's a good thing to disable javascript globally and use it only when necessary and only in trusted sites.

The average Joe never do it that way though. That's why 99% of the computers with windows requires a monthly reinstall.

It all comes down to what degree of functionality of power the offended language has. I know nothing about actionscript, but activex can do anything, and that's why it's so dangerous.

Last edited by i92guboj; 11-04-2008 at 02:31 PM.
 
Old 11-04-2008, 02:38 PM   #15
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285
You may also want to read this:
http://www.linuxquestions.org/questi...mputer-681054/
 
  


Reply

Tags
flash, linux, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What is my security risk running Linux, really? rollo Linux - Security 5 03-17-2007 08:14 PM
Is there any real (reasonable) risk to allowing ping? fsbooks Linux - Security 17 09-24-2004 09:17 PM
Will a RISK Processor Run on Linux, PA-RISK 8500 at 400MHz CPU IBNETMAN79 Linux - General 2 03-08-2002 08:09 PM
Will a RISK Processor Run Linux, PA-RISK 8500 CPU IBNETMAN79 Linux - Newbie 1 03-08-2002 07:49 PM
Will A RISK CPU Run Linux, HP PA-RISK 8500 CPU IBNETMAN79 General 0 03-08-2002 07:39 PM


All times are GMT -5. The time now is 06:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration