LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-03-2014, 03:24 PM   #1
derek.m
LQ Newbie
 
Registered: Jan 2014
Posts: 11

Rep: Reputation: Disabled
Flash/Java/viruses/malware exploits


Hello

I was listening to the knightwise podcast @ http://knightwise.com/kw801-cross-platform-security/

In this episode, they were talking about viruses and malware and how all platforms including linux is not immune to it. They also discuss how our systems get can get infected.

They also discuss how flash and java can have exploits or holes to execute malicious code.

This concerns me because I visit websites with flash and since adobe stopped supporting linux, we are using flash 11.2.x which is dated.

I have a question and it may be dumb as I don't nothing about flash exploits or java programming.

Can a bad website's flash/java execute malicious code on our systems or they only affect browsers? Thanks

cheerios
 
Old 02-03-2014, 03:39 PM   #2
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Debian
Posts: 257

Rep: Reputation: 24
Personally I no longer install flash or java on any of my computers for this exact reason. Living without flash has been a pain in the neck at the beginning, but I've learned to endure it. It's still troublesome because certain websites are being dickheads and refuse to play their video content without flash plugin installed i.e. twitch.tv (I learned to bypass it by using livestreamer).

Anyhow, if you absolutely must have these plugins installed you can use a firefox browser addon like NoScript that will block them by default. You will have to click on a placeholder to activate the plugin on a given website - this will prevent some hidden parts from automatically executing and possibly running malicious code, but can also break some websites. It still doesn't protect you 100% because an attacker can simply replace the flash container on a trusted website with his own malicious one (mitm).
 
1 members found this post helpful.
Old 02-03-2014, 04:22 PM   #3
derek.m
LQ Newbie
 
Registered: Jan 2014
Posts: 11

Original Poster
Rep: Reputation: Disabled
Thanks displace

I believe websites should stray away from flash and use html5 video tags and play mp4/mp3/ogg/ogv media as to flash. At least, youtube includes html5 and other media formats.

I once was tempted to try gnash instead, but I read and heard it isn't compatible with some sites and it can be buggy and/or unstable.

As for java we can only hope that something better would replace it.

cheerios

Last edited by derek.m; 02-03-2014 at 04:26 PM.
 
Old 02-16-2014, 05:08 AM   #4
brebs
Member
 
Registered: May 2013
Posts: 80

Rep: Reputation: Disabled
Quote:
Originally Posted by derek.m View Post
Can a bad website's flash/java execute malicious code on our systems
Yes! Because flash & java have tons of security exploits.

I recommend that people use e.g. Privoxy and AppArmor.
 
1 members found this post helpful.
Old 02-16-2014, 11:04 AM   #5
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
I don't use java or flash because they are insecure. However, if I do have to use flash in some rare cases, I make sure to use NoScript to disable flash on all sites but the one that I have to use it on. It is usually not installed or disabled.
 
1 members found this post helpful.
Old 02-16-2014, 12:15 PM   #6
jamison20000e
Senior Member
 
Registered: Nov 2005
Location: ...uncanny valley... infinity\1975; (randomly born:) Milwaukee, WI, US( + travel,) Earth( I wish,) END BORDER$!◣◢┌∩┐ Fe26-E,e...
Distribution: any GPL that works well on my cheapest; has been KDE or CLI but open... http://goo.gl/NqgqJx &c ;-)
Posts: 3,707
Blog Entries: 2

Rep: Reputation: 1157Reputation: 1157Reputation: 1157Reputation: 1157Reputation: 1157Reputation: 1157Reputation: 1157Reputation: 1157Reputation: 1157
+1 Addons: NoScript and Adblock... plus over all system security is you, I like Firewalld too.

Last edited by jamison20000e; 02-16-2014 at 12:17 PM.
 
Old 02-16-2014, 01:55 PM   #7
Ormu
Member
 
Registered: Jun 2011
Posts: 92

Rep: Reputation: 15
Firefox 26/27 can disable plugins without NoScript or other addons. NoScript is still useful for controlling JavaScript and other potentially dangerous stuff but it may be tedious to configure as far as I remember.
 
1 members found this post helpful.
Old 02-16-2014, 03:24 PM   #8
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
You configure it once and forget about it. Helps a lot with online security from what I've seen. No more browser hijacking by malicious sites using javascript. The sites that break are either malicious or badly coded, from what I've seen.
 
2 members found this post helpful.
Old 02-18-2014, 08:13 AM   #9
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 579

Rep: Reputation: 62
any content that needs interpreter (flash, shockwave, html, script, images, etc etc) is susceptible to potential vector of attack.

basic 101's, if you dont need "it" to do the business function, then disable or remove "it".

for personal use, the more shiat you have running/enabled the more susceptible your platform is to attack.

the more popular something is (like java, windoze, flash) the more it becomes a target.
 
2 members found this post helpful.
Old 02-18-2014, 10:52 AM   #10
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
If you don't want NoScript for some reasons, you can use flashblock instead to just block flash until you click on it.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
viruses/malware etc: Is my Debian GNU/Linux system protected? edbarx Linux - Laptop and Netbook 44 09-07-2012 06:27 AM
LXer: Security: Linux, OS X, Unix and Malware (Viruses) LXer Syndicated Linux News 0 12-01-2011 08:00 AM
Linux viruses/malware? newbiesforever General 23 09-25-2011 04:35 PM
LXer: On Bugs, Viruses, Malware and Linux LXer Syndicated Linux News 0 08-11-2009 06:00 AM
Exploits/malware targeted at Linux? vibinlakshman Linux - Security 9 12-14-2008 11:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration