Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Thanks for keeping us informed win32sux. Your efforts on this and the kernel vulnerabilities thread are very much appreciated.
From what I read, it looks like the error is in the parsing of downloadable WOFF format fonts, so in theory going into about:config and changing gfx.downloadable_fonts.enabled to false sounds like it would have mitigated the "remote" aspects of this vulnerability. If anyone is waiting for their distro to get the fix out, then you may want to consider doing this. (Actually, I think I'm gonna leave this disabled even though I'm now running 3.6.2).
Pity no one at secunia or mozilla thought to inform people about such a simple mitigation action.
Distribution: Linux Mint "Mate" x64 (primary OS), Win 7/8 x64, XP Home/Pro x32.
Posts: 61
Rep:
Finally, Firefox 3.6.2 has been released, I have it. Hopefully it will address some of the concerns here. I apologize to anyone who may have been offended by my previous posts, but I was only going by what I was told the first time that I installed Linux. No viruses, malware, and no worries. Mabye I need to do some studying on this issue, but at the same time, no one should be saying that with Linux, you have nothing to fear. That is still being repeated to this day.
Thanks for keeping us informed win32sux. Your efforts on this and the kernel vulnerabilities thread are very much appreciated.
You (and anyone else who reads these threads) are most welcome!
Quote:
Originally Posted by catilley1092
Finally, Firefox 3.6.2 has been released, I have it. Hopefully it will address some of the concerns here. I apologize to anyone who may have been offended by my previous posts, but I was only going by what I was told the first time that I installed Linux. No viruses, malware, and no worries. Mabye I need to do some studying on this issue, but
The virus threat to GNU/Linux is indeed extremely lower than with Windows — there's absolutely no doubt about that, but it's beside the point. With arbitrary code execution vulnerabilities, the bad guys with the exploits are able to execute pretty much anything they wish on your box if you're attacked. Think about that for a second, pretty much anything they wish. The damage they can cause is limited only by their skills/abilities and your security posture. The implications of that are huge, to include code which can do anything ranging from data destruction to identity theft and worse. This is true on any generic OS, and it's important that LQSEC serve as a place to encourage proactive defense against such threats.
Quote:
at the same time, no one should be saying that with Linux, you have nothing to fear. That is still being repeated to this day.
Unfortunately, you're absolutely correct — some people do believe and proclaim things of that nature. I would like to think that it's mainly newcomers, though — specifically, those who have been encouraged to try GNU/Linux by misguided individuals. From that perspective, it's not really their fault, and perhaps they just need time in order to realize that there's plenty of security threats to go around, regardless of the OS you use. If I could offer you a suggestion, it would be to browse through unSpawn's Security references thread. However, instead of looking to learn how to use the tools listed there, go at it from a different angle: study the specific vulnerabilities which the tools are designed to mitigate.
Distribution: Linux Mint "Mate" x64 (primary OS), Win 7/8 x64, XP Home/Pro x32.
Posts: 61
Rep:
win32sux, thanks for letting me know that I'm not 100% safe on a computer, regardless of the OS. Linux and Mac users swears by this. I did click onto the link "arbitrary code execution", it led to a Wikipedia article that described it in detail. When I made my initial posts regarding this, the thought of it caught me off guard and I became entangled with defending FF, without looking up anything. I do apologize, it's my bad for assuming something didn't exist w/o at least researching it. I use Linux Mint 8 and Windows 7 Pro. Both OS's have their merits. I'm a VIP member of a Windows 7 forum, and this issue never once came up on the forum. Most security related issues do. Like myself, there are a few Linux users on the forum who prefers speed and security over scanning and scanning for viruses and malware. Although I normally use Mint for the sheer speed (virus and malware protection comes at a price, your speed), I have to use Windows to print and for my grandaughter to play games on. But I have learned from this, and the next time I hear of a threat like this, I'll switch browsers until the issue is resolved. I proudly accept the warning that was issued to me as a lesson learned, with no hard feelings toward anyone.
Mabye I need to do some studying on this issue, but at the same time, no one should be saying that with Linux, you have nothing to fear. That is still being repeated to this day.
I'd say that if you configure it right and do upgrade when needed, you have little to fear. I don't think that there can ever be a 100% secure OS, not even with SELinux (which I don't like), so don't expect it.
Wow, I didn't know the source code was pending. I did try to take a look at the relevant bug report in order to determine whether it affected the GNU/Linux version, but it's not publicly accessible.
EDIT: Just checked and it looks like the source was uploaded today.
I pretty much ignored this post when I saw it originally, but in retrospect it does seem like it's pertinent enough to be discussed here in this thread. Personally, I find it quite refreshing whenever Mozilla is proactive like this. I just hope the unintended, negative consequences will be minimal.
Quote:
We’re close to landing some changes in the Firefox development tree that will fix a privacy leak that browsers have been struggling with for some time. We’re really excited about this fix, we hope other browsers will follow suit. It’s a tough problem to fix, though, so I’d like to describe how we ended up with this approach.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.