In a recent article http://news.cnet.com/8301-19518_3-10422760-238.html McAfee was quoted as saying I don't use Acrobat Reader (nor writer for that matter) on Linux. However, Flash seems to be a critical component necessary to access many web sites both for content such as embedded videos and for security purposes (flash objects used by banks to identify a particular computer). I am not aware of what form the expected attacks would take. I would be interested in other folks thoughts on the implications for Linux. Would an attack on Flash have the same impact on a browser on Linux as one on Windows?

Ken

The implications for Linux specifically would probably be the same as any other potential software exploits. By it's nature Linux uses sane permission practices to avoid allowing malware to have a field day with your data. However I do think it will be interesting to see what happens with these services in regards to OS independent malware. If the service lives entirely on the web running from within your browser it could lead to some interesting problems, imagine going to some site and playing their embedded video using flash but the flash player is really spying on you. I don't know how feasible that is, but I'm sure people are trying to figure out how to make that possible. At the end of the day having good security practices and using common sense will still be your defense against any possible threats that come from any web services. I use script/flash/java blocking addons in my browser, so only websites I explicitly allow can execute anything.

Thanks affinity,

I also use NoScript and AdBlock Plus in Firefox. I think I will ask financial institutions which I deal with what actions they are taking with regards to this as Flash objects seem to be key to their security models. Should result in some amusing if not pathetic responses.

Perhaps the safest thing to do is say the heck with eCommerce, go back to banking and shopping by phone, and just use the Internet for download pornography - as it was originally intended

Actually, I'm quite sure that most of the flash exploits are quite portable to all other OSs and even to other programs that implement flash, like gnash. If you want to keep using flash and feel safe them see:
http://www.linuxquestions.org/questi...ashers-779530/

Yes, yes, I totally agree

However, there was a strange thing I heard recently, some banks do this (from what I remember):
The bank gives you something like a pager where you put in your password or pin or whatever, and it gives you a login name and password for the bank website, which is only available for like 30 seconds. Then you login, do the transaction and logout. To me this seems like a reasonable and interesting way of authenticating a user. I can't imagine how this could be easily hacked.

Sounds like you're referring to security tokens with synchronized one-time passwords.

If you're curious about Flash vulnerabilities, have a look at the CVE database at:

http://web.nvd.nist.gov/view/vuln/search

The CVEs are normally written in plain english, and give a rough overview of the nature of the vulnerability, affected platforms, and so on.

It's very difficult to predict how future vulnerabilities will apply to the various OSs that the player runs on, but it seems certain there will be many more and that they'll be weird bugs.

Thanks H_TeXMeX_H,

I have looked at some info on "Hack A Day Post" - interesting.

The system you describe sounds like a Radius server system I used for VPN some years ago. I was issued a key fob sort of device which produced a seemingly random 6 digit number every 60 seconds or so. To authenticate with the VPN I would enter my credentials and then the current number on the fob. If (when) the fob got out of sync with the Radius server a call to the admin would get it back in sync. Quite a neat system.


Hi win32sux,

Yes win 32 sux but it is doing better for me at the moment than Ubuntu 9.10. Unfortunately I have been unable to install 8.04 LTS on my new machine and am having to get some things done with an XP VM running on VMWare on the 9.10 box

And Thanks to GooseYArd,

I will keep an eye on the National Vulnerability Database. However, I a am afraid that out major Vulnerability is our citizens who expect the government to do FOR them thus the elect idiots and worse who do TO us. Sorry, wrong forum

Ken

yes, those are them, thanks. I didn't know what they were called.