KDE flaws put Linux, Unix systems at risk

A serious vulnerability has been found in the popular KDE open-source software bundle. The flaw, deemed "critical" by the research outfit the French Security Incident Response Team, could allow a remote attacker to gain control over vulnerable systems. KDE is a desktop software package for Linux and Unix systems and includes the Konqueror Web browser and other applications.

The vulnerability lies in the JavaScript interpreter engine used by Konqueror and other parts of KDE, according to a security advisory posted Thursday. An attacker could craft a special UTF-8 encoded URI sequence to exploit the flaw, according to the advisory. For an attack to be successful, a person would have to visit the attacker's Web page using Konqueror, the FrSIRT said in its alert. Affected are KDE 3.2.0 up to and including KDE 3.5.0. Fixes are available.

[mooredynasty]

?nix Has Flaws?

I thought only Windows had these problems...

[Gayle Edwards]

Sure... Windows just has a LOT more...

I beleive the ratio is actually hundreds-to-one.

But, then, this isnt actually a UNIX flaw, or even a *NIX flaw. Its apparently a "JAVA" flaw which can effect a specific Web-Browser, within a specific GUI. If your computer meets all those criteria, and you visit a malicious Web-site, well then...

On the other hand... our Linux-server has never been compromised just sitting there, unlike the many fully patched "MS-Windows" computers, we have worked-on.

[LouisC]

Well, it's not linux

It's KDE. Linux itself doesn't have these kind of problems, but KDE, a desktop environment for linux, does occasionally. It's nothing to worry about, fixes for problems on Linux come along very quickly.

[nzamparello]

Everything has flaws

Every os has bugs which create flaws.. The only advantage of Open Source is that these flaws are publicly available and anyone that is knowledgeable in coding can submit fixes for these flaws and since the fix must be open source those fix codes are also availabe for review which is not always possible for proprietary programs... Such as WINDOWS!!! But if you had read the article instead of just the headline.. The fix is already available... Unlike M$'s patch tuesday.. If you think windows is superior just try asking M$ for the source code for windows so you can proof the code yourself.. Now before you rant.. M$ does have a shared source program but unless your Uncle Sam, good luck.. Plus even apple has their most of their source open for review!! So Mr. Moore, I emplore you to fully read the article.. Do some googling... I'm glad that you are asking questions instead of being biased.. ;-)

[thomaskray]

No system is truly safe

Just goes to show that ANY system can be at risk. No OS is really any better than the next.

[chill633]

Safer than most...

Just goes to show that ANY system can be at risk. No OS is really any better than the next.

On a standard Linux/BSD/Unix system a user would be browsing with non-root privileges. This would mean any executed code only runs with the rights of the user. While user owned files (i.e. - My Documents) would be at risk, changing executables or compromising an entire system would be much more difficult.

In contrast, Windows machines either don't even have the concept of privilege (95/98/ME) or still run most code with admin rights (2000/XP). Microsoft is working on making it easier to run with "least privilege", but it will be a long time before most Windows systems even come close to a Unix system in this regard.

Making it painless for users to do their daily work with least privilege rights is an important layer in securing a computing environment. Currently Linux/BSD/Unix is much further ahead than Microsoft in this regard.

-Charles

[LouisC]

But in this case

like i said in my other reply, it's not a fault in the OS. It's a fault in the webbrowser of a specific DE. There are tons of other browsers out there (Epiphany, Opera, Mozilla, Firefox, etc...) that don't have this flaw.

[pythonhacker]

Attack Surface

As someone said in the comments, no system is 100% secure. A better way is to look at the "attack surface" presented by a system to malicious code. This is directly related to the security of the system.

Unix/Linux systems, which by employing user/process privileges reduce the attack surface considerably when compared to Windows which has a much larger attack surface due to flawed design, such as an integrated browser among others. Linux provides additional security features to reduce the attack surface with features such as LSM (Linux Security Module) and SELinux.

For example, if the same vulnerability was present in say I.E the attack surface would have been much greater than KDE due to the tight integration of I.E with Windows. In Linux this is much reduced due to the inherent security advantages of the Unix OS.

The next time you see a security alert about an OS, it helps to think about the attack surface it exposes. It gives a better sense of the actual vulnerability of the system to the flaw than an alarmist headline.

[matt5hansen]

Good point

A user's ability to control the system would be limited with this vulnerability. Also true-Konqueror is a single program. It is not Linux, and no one uses Konqueror on the web (typically)

Yeah, lets throw words

like "attack surface" around and try and sound smart. What design flaws are you talking about? Like the fact that vanilla unix still has a 60s security model of read/write/excute privilege to group and owner? chmod anyone? As opposed to a real ACL model that NT has always had?
Oh let me tell you about setuid programs

[matt5hansen]

Does ANYONE use Konqueror on the web?

It's a crappy browser for the web. This certainly is not headline news.

[m_abs]

I do, and it's not.

I've used konqueror for web-browsing since KDE
3.4, it's faster then any other (except purhapes
opera), it consumes less resources then firefox,
it displays at least as many web-site correctly
and it is intergated well into KDE.
Since KDE 3.5, konquerors engine KHTML passes
the ACID2-test unlike certain other
browser-engines.

[just_some_guy]

Yes.

I use it, and it works fine.

[Zymurgist]

Yes, it's a great browser...

So far, it's the only browser I've used to date
that functions the way I'd expect a browser to.
It's handling of mime-types and plug-ins is very
sensible as are bookmarks. It's use of KDE
kio_slaves is really well done, as it's support
for Firefox/Mozilla plugins.

Konqueror is VERY fast, takes very little
resources, is very extensible (the keyword
functionality is better than firefox). It's
support of CSS2 is excellent (save for the
font-size attribute in 'style' tag-attributes
for some reason).

Yes, JavaScript on some sites behaves oddly (in
part because the kjs interpreter bails when it
encounters an error, rather than keeps going),
but most sites work quite nicely with it.

[markhahn]

just userspace

unfortunately, the media is so used to reporting windows vulnerabilities that they don't realize that a user-space compromise under *nix is very far from critical. sure, it might inconvenience _a_ user. but it doesn NOT put the _system_ at risk.

[David Arbogast]

JUST?!?

Oh riiight... because accound names, passwords, credit card numbers, financial records, email addresses, messenger links, browser history, and the like... they aren't a risk at all. Thank goodness its only userspace!

[petrus4]

Necessary clarification

The builtin security system of UNIX/Linux systems is such that a user would need to be running Konqueror via the root or superuser account in order for it to compromise the entire system. Strictly speaking, hardly any processes on a properly controlled system should be using the root account at all...Virtually everything should be delegated to well-defined, limited, sub-user accounts. Protecting against these types of exploits is precisely why this security system exists, and if the system is used properly, such exploits are not a major problem.

[aqvanavt]

Linux flaw(s)

I think people should realize that as Linux expands the more vunerable it will become to malicious hacking. Which is pretty weird considering that you can contribute to it's evolution with out being destructive.