Roger writes:
« HTML content follows » On 03/22/2013 11:36 AM, Reindl Harald wrote:Am 22.03.2013 00:56, schrieb Sam Varshavchik:Even let's hypothetically say there's an exploit in Firefox that can be us ed to inject executable code, through a malicious web page, once running the code will have no way to overwrite Fi refox's binary executable, and implant itself in Firefox, or any other operating system executable. As soon as yo u log out or reboot, it's gone. The scope of the damage is limited to wiping files in your home directory, and that' s about itthis as a very naive point of view you do not need to change system-binaries it is enough to place you executeable in the userhome, start it with the desktop and let connect it to a remote-server to have a shell and break any privacy of the user how many users would recognize such intrusion?OK! so how does one recognise such an intrusion? What should one look for?
Well, for starters, if you see some mysterious executable file on your desktop, the last thing you will want to do is execute it. That's it.
Now, I suppose that this attack might work if the malware fscks around with your $HOME/.profile, and uses it to launch itself when you log in. But before anyone starts hiding under their bed, and cowering in fear: if this mode of attack even begins to gain any traction, the first time someone sees some malware doing crap like that, two things will probably happen:
1) Within 2-3 days the hole in Firefox will get patched, and pushed out.2) The next release of every Linux distro will simply make the necessary arrangements to run Firefox under a separate UID that has no write privileges to your login account's home directory (and provide some meaningful way to have downloaded files go into the dedicated UID's own home directory, with read privileges that let you copy over any legitimately- downloaded files to your own desktop, securely.
It's simply not worth anyone's hassle to jump through their arseholes, in order to set up a walled-off Firefox that runs like this right now, because, frankly, this is not a problem as of now. But as soon as – if ever – Firefox on Linux gains enough mind share to present itself a target for malware, and acquires a hole-ridden security rap sheet, with malware beginning to take advantage of that, and target Linux, then this is simply what's going to happen, and everyone will go back to sleep, again.
I started giving my wife, who knows zilch about computers, a series of Linux- runnning laptops almost ten years ago. She does whatever the hell she wants with it. Flash, browse whatever sites she wants (that reminds me, what I said re Firefox, above, applies equally well to Flash running inside Firefox), and her progression of laptops is yet to catch any malware.
So, calm down, and keep your shorts on.
Attachment:
pgpTfJoigZQ12.pgp
Description: PGP signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
