Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
That's what I thought, the "execute arbitrary code" ones usually are.
Could you elaborate a bit, please? Is it your gut feeling or do you have statistics to back that up? I'm not attacking your claim, I'm just honestly curious as to how you've reached this conclusion.
From what I've seen so far, all we know is that the written 'exploit' is for Windows. There's nothing to suggest that the underlying 'vulnerability' isn't more widespread.
Could you elaborate a bit, please? Is it your gut feeling or do you have statistics to back that up? I'm not attacking your claim, I'm just honestly curious as to how you've reached this conclusion.
Well, think about it, "execute arbitrary code", how could this harm your system and what kind of code could it be. By far, statistically, the majority of malicious code is written for Window$, I doubt anyone anywhere will debate that. Furthermore, say you were running this arbitrary code on Linux, what is the worst it could do ? Erase your home folder, read your user's files and send them off, and that's about it. Now, what about on Window$, especially since most people run in admin mode ... it can do a lot more damage, it can install viruses, a rootkit, delete everything on the HDD, maybe even damage hardware. There also exist many bugs in the Window$ kernel that M$ fails to patch, these can be easily exploited even in user mode. Furthermore, when I see "execute arbitrary code" in a web browser context this means ActiveX in most cases, and this truly is dangerous, and Window$ only.
Well, you could just say it's a gut feeling, but not completely unsubstantiated.
Well, think about it, "execute arbitrary code", how could this harm your system and what kind of code could it be. By far, statistically, the majority of malicious code is written for Window$, I doubt anyone anywhere will debate that. Furthermore, say you were running this arbitrary code on Linux, what is the worst it could do ? Erase your home folder, read your user's files and send them off, and that's about it. Now, what about on Window$, especially since most people run in admin mode ... it can do a lot more damage, it can install viruses, a rootkit, delete everything on the HDD, maybe even damage hardware. There also exist many bugs in the Window$ kernel that M$ fails to patch, these can be easily exploited even in user mode. Furthermore, when I see "execute arbitrary code" in a web browser context this means ActiveX in most cases, and this truly is dangerous, and Window$ only.
Well, you could just say it's a gut feeling, but not completely unsubstantiated.
Okay, I was actually kind of hoping it was more than a gut feeling. It would be very interesting to know whether arbitrary code execution vulnerabilities in Firefox are more prevalent for certain platforms. The potential effects of exploiting those vulnerabilities (and the circumstances in which they are exploited) is a completely separate issue which isn't what I was asking about. I might look into this matter if I get some free time. Thanks for the reply.
Every article I've seen on this is very vague, and the comments always mention the distinct possibility that it is a hoax. Well, even if it wasn't I bet it has something to do with activex.
Every article I've seen on this is very vague, and the comments always mention the distinct possibility that it is a hoax. Well, even if it wasn't I bet it has something to do with activex.
Distribution: Linux Mint "Mate" x64 (primary OS), Win 7/8 x64, XP Home/Pro x32.
Posts: 61
Rep:
I certainly would never use it. Active X controls are part of what makes IE a piece of crap for a browser, and makes Windows vulnerable to viruses. That's what I like about Mint and Linux in general, you don't have to go through the daily routine of scanning your system and still get infected, regardless of how careful you are.
Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue. The vulnerability was determined to be critical and could result in remote code execution by an attacker. The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix.
Mozilla To Fix Vulnerability Claimed To Be Fake...
Quote:
A month ago, Secunia issued an advisory, SA38608, for a vulnerability reported in Firefox 3.6 by Evgeny Legerov and with an exploit bundled in VulnDisco Pack.
Some people were very eager to claim that this vulnerability report was fake - both on the Mozilla blog and our own forum - but Mozilla has now fixed this vulnerability in their Beta build and it will also be included in the upcoming version 3.6.2.
It was not surprising to see some people claim that the vulnerability report was fake; the very weak arguments being made and assumptions these were based on did, however, surprise and can probably be listed as:
1) The vulnerability report is fake because the researcher has not provided details to Mozilla.
2) The vulnerability report is fake because no public details are available.
3) The vulnerability report is fake because the reporter did not adhere to what is commonly referred to as "responsible" disclosure, hence he is a "blackhat", and hence he is not to be trusted.
Distribution: Linux Mint "Mate" x64 (primary OS), Win 7/8 x64, XP Home/Pro x32.
Posts: 61
Rep:
Look, for the most part, this is only going to affect Windows users. Mozilla a taking a unfair beating here. It seems perfectly fine that a billionaire corporation (Micro$oft) doesn't release a browser on a regular basis, and IE8 is the same piece of crap that it was a year ago. Mozilla, a corporation largely funded by donations and staffed by volunteers, releases a new browser on a regular basis. They are constantly hard at work fighting a billionaire corporation for market share. I feel far more secure with Firefox than with IE, even on FF's worst day. When there's a problem with FF, they give us a way to report it, they do have to find a workaround for the problem. Remember here, there's not dozens of programmers at Mozilla making six-digit figures, sitting around drinking coffee, then after lunch, going to play golf, like at Micro$oft. The Mozilla staff is hard at work every day, making progress every day, on a shoestring budget. If you don't feel that you're secure with FF, install Wine and use IE6 for a while. I have it on Mint 8 (64 bit), and can't even get the damn thing to update, although there are two critical updates for it. After a couple of days of using that piece of crap, there will be a renewed appreciation for FF.
Look, for the most part, this is only going to affect Windows users. Mozilla a taking a unfair beating here. It seems perfectly fine that a billionaire corporation (Micro$oft) doesn't release a browser on a regular basis, and IE8 is the same piece of crap that it was a year ago. Mozilla, a corporation largely funded by donations and staffed by volunteers, releases a new browser on a regular basis. They are constantly hard at work fighting a billionaire corporation for market share. I feel far more secure with Firefox than with IE, even on FF's worst day. When there's a problem with FF, they give us a way to report it, they do have to find a workaround for the problem. Remember here, there's not dozens of programmers at Mozilla making six-digit figures, sitting around drinking coffee, then after lunch, going to play golf, like at Micro$oft. The Mozilla staff is hard at work every day, making progress every day, on a shoestring budget. If you don't feel that you're secure with FF, install Wine and use IE6 for a while. I have it on Mint 8 (64 bit), and can't even get the damn thing to update, although there are two critical updates for it. After a couple of days of using that piece of crap, there will be a renewed appreciation for FF.
Uh, why are you getting all defensive about this? Besides, AFAIK it wasn't Mozilla that was taking a beating, it was Secunia. Mozilla had even gone ahead and let it be known on their security blog that they had no idea what the problem was.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
