A serious vulnerability has been found in the popular KDE open-source software bundle. The flaw, deemed "critical" by the research outfit the French Security Incident Response Team, could allow a remote attacker to gain control over vulnerable systems. KDE is a desktop software package for Linux and Unix systems and includes the Konqueror Web browser and other applications.
The vulnerability lies in the JavaScript interpreter engine used by Konqueror and other parts of KDE, according to a security advisory posted Thursday. An attacker could craft a special UTF-8 encoded URI sequence to exploit the flaw, according to the advisory. For an attack to be successful, a person would have to visit the attacker's Web page using Konqueror, the FrSIRT said in its alert. Affected are KDE 3.2.0 up to and including KDE 3.5.0. Fixes are available.
But, then, this isnt actually a UNIX flaw, or even a *NIX flaw. Its apparently a "JAVA" flaw which can effect a specific Web-Browser, within a specific GUI. If your computer meets all those criteria, and you visit a malicious Web-site, well then...
On the other hand... our Linux-server has never been compromised just sitting there, unlike the many fully patched "MS-Windows" computers, we have worked-on.
It's KDE. Linux itself doesn't have these kind of problems, but KDE, a desktop environment for linux, does occasionally. It's nothing to worry about, fixes for problems on Linux come along very quickly.
Every os has bugs which create flaws.. The only advantage of Open Source is that these flaws are publicly available and anyone that is knowledgeable in coding can submit fixes for these flaws and since the fix must be open source those fix codes are also availabe for review which is not always possible for proprietary programs... Such as WINDOWS!!! But if you had read the article instead of just the headline.. The fix is already available... Unlike M$'s patch tuesday.. If you think windows is superior just try asking M$ for the source code for windows so you can proof the code yourself.. Now before you rant.. M$ does have a shared source program but unless your Uncle Sam, good luck.. Plus even apple has their most of their source open for review!! So Mr. Moore, I emplore you to fully read the article.. Do some googling... I'm glad that you are asking questions instead of being biased.. ;-)
<i>Just goes to show that ANY system can be at risk. No OS is really any better than the next.</i>
On a standard Linux/BSD/Unix system a user would be browsing with non-root privileges. This would mean any executed code only runs with the rights of the user. While user owned files (i.e. - My Documents) would be at risk, changing executables or compromising an entire system would be much more difficult.
In contrast, Windows machines either don't even have the concept of privilege (95/98/ME) or still run most code with admin rights (2000/XP). Microsoft is working on making it easier to run with "least privilege", but it will be a long time before most Windows systems even come close to a Unix system in this regard.
Making it painless for users to do their daily work with least privilege rights is an important layer in securing a computing environment. Currently Linux/BSD/Unix is much further ahead than Microsoft in this regard.
like i said in my other reply, it's not a fault in the OS. It's a fault in the webbrowser of a specific DE. There are tons of other browsers out there (Epiphany, Opera, Mozilla, Firefox, etc...) that don't have this flaw.
As someone said in the comments, no system is 100% secure. A better way is to look at the "attack surface" presented by a system to malicious code. This is directly related to the security of the system.
Unix/Linux systems, which by employing user/process privileges reduce the attack surface considerably when compared to Windows which has a much larger attack surface due to flawed design, such as an integrated browser among others. Linux provides additional security features to reduce the attack surface with features such as LSM (Linux Security Module) and SELinux.
For example, if the same vulnerability was present in say I.E the attack surface would have been much greater than KDE due to the tight integration of I.E with Windows. In Linux this is much reduced due to the inherent security advantages of the Unix OS.
The next time you see a security alert about an OS, it helps to think about the attack surface it exposes. It gives a better sense of the actual vulnerability of the system to the flaw than an alarmist headline.
A user's ability to control the system would be limited with this vulnerability. Also true-Konqueror is a single program. It is not Linux, and no one uses Konqueror on the web (typically)
like "attack surface" around and try and sound smart. What design flaws are you talking about? Like the fact that vanilla unix still has a 60s security model of read/write/excute privilege to group and owner? chmod anyone? As opposed to a real ACL model that NT has always had? Oh let me tell you about setuid programs
I've used konqueror for web-browsing since KDE 3.4, it's faster then any other (except purhapes opera), it consumes less resources then firefox, it displays at least as many web-site correctly and it is intergated well into KDE. Since KDE 3.5, konquerors engine KHTML passes the ACID2-test unlike certain other browser-engines.
So far, it's the only browser I've used to date that functions the way I'd expect a browser to. It's handling of mime-types and plug-ins is very sensible as are bookmarks. It's use of KDE kio_slaves is really well done, as it's support for Firefox/Mozilla plugins.
Konqueror is VERY fast, takes very little resources, is very extensible (the keyword functionality is better than firefox). It's support of CSS2 is excellent (save for the font-size attribute in 'style' tag-attributes for some reason).
Yes, JavaScript on some sites behaves oddly (in part because the kjs interpreter bails when it encounters an error, rather than keeps going), but most sites work quite nicely with it.
unfortunately, the media is so used to reporting windows vulnerabilities that they don't realize that a user-space compromise under *nix is very far from critical. sure, it might inconvenience _a_ user. but it doesn NOT put the _system_ at risk.
Oh riiight... because accound names, passwords, credit card numbers, financial records, email addresses, messenger links, browser history, and the like... they aren't a risk at all. Thank goodness its only userspace!
The builtin security system of UNIX/Linux systems is such that a user would need to be running Konqueror via the root or superuser account in order for it to compromise the entire system. Strictly speaking, hardly any processes on a properly controlled system should be using the root account at all...Virtually everything should be delegated to well-defined, limited, sub-user accounts. Protecting against these types of exploits is precisely why this security system exists, and if the system is used properly, such exploits are not a major problem.
I think people should realize that as Linux expands the more vunerable it will become to malicious hacking. Which is pretty weird considering that you can contribute to it's evolution with out being destructive.
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
After a higher-than-expected fourth quarter, the video subscription service unburdens itself of a pending yearlong class action suit and settles for $9 million.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
But, then, this isnt actually a UNIX flaw, or even a *NIX flaw. Its apparently a "JAVA" flaw which can effect a specific Web-Browser, within a specific GUI. If your computer meets all those criteria, and you visit a malicious Web-site, well then...
On the other hand... our Linux-server has never been compromised just sitting there, unlike the many fully patched "MS-Windows" computers, we have worked-on.
On a standard Linux/BSD/Unix system a user would be browsing with non-root privileges. This would mean any executed code only runs with the rights of the user. While user owned files (i.e. - My Documents) would be at risk, changing executables or compromising an entire system would be much more difficult.
In contrast, Windows machines either don't even have the concept of privilege (95/98/ME) or still run most code with admin rights (2000/XP). Microsoft is working on making it easier to run with "least privilege", but it will be a long time before most Windows systems even come close to a Unix system in this regard.
Making it painless for users to do their daily work with least privilege rights is an important layer in securing a computing environment. Currently Linux/BSD/Unix is much further ahead than Microsoft in this regard.
-Charles
Unix/Linux systems, which by employing user/process privileges reduce the attack surface considerably when compared to Windows which has a much larger attack surface due to flawed design, such as an integrated browser among others. Linux provides additional security features to reduce the attack surface with features such as LSM (Linux Security Module) and SELinux.
For example, if the same vulnerability was present in say I.E the attack surface would have been much greater than KDE due to the tight integration of I.E with Windows. In Linux this is much reduced due to the inherent security advantages of the Unix OS.
The next time you see a security alert about an OS, it helps to think about the attack surface it exposes. It gives a better sense of the actual vulnerability of the system to the flaw than an alarmist headline.
Oh let me tell you about setuid programs
3.4, it's faster then any other (except purhapes
opera), it consumes less resources then firefox,
it displays at least as many web-site correctly
and it is intergated well into KDE.
Since KDE 3.5, konquerors engine KHTML passes
the ACID2-test unlike certain other
browser-engines.
that functions the way I'd expect a browser to.
It's handling of mime-types and plug-ins is very
sensible as are bookmarks. It's use of KDE
kio_slaves is really well done, as it's support
for Firefox/Mozilla plugins.
Konqueror is VERY fast, takes very little
resources, is very extensible (the keyword
functionality is better than firefox). It's
support of CSS2 is excellent (save for the
font-size attribute in 'style' tag-attributes
for some reason).
Yes, JavaScript on some sites behaves oddly (in
part because the kjs interpreter bails when it
encounters an error, rather than keeps going),
but most sites work quite nicely with it.