Whats with the KDE exploit? Is Fedora patched?

John Summerfied debian at herakles.homelinux.org
Mon Jan 23 22:40:25 UTC 2006 

Dotan Cohen wrote:
> I know that News.com is one of those Microsoft cronies, but I quote:
> "A serious vulnerability has been found in the popular KDE open-source
> software bundle. The flaw, deemed "critical" by the research outfit
> the French Security Incident Response Team, could allow a remote
> attacker to gain control over vulnerable systems."
> 
>>From here:
> http://news.com.com/KDE+flaws+put+Linux,+Unix+systems+at+risk/2110-1002_3-6029297.html
> 
> I'm not subscribed to fedora security lists, I'll go sign up now, but

That's probably more imortant than this one:-)

> I'd like a little info from you guys, as I trust you (certain names
> like Dalloz, Rahul and others come to mind). Thanks.


Now the dust has settled a little, I'll make some points:
1. On Linux one normally has a choice of browsers, and a lot of Linux 
people don't use Konqueror.
2. The attacker has to get you to visit their site. Typically, this 
would be from a phishing attack or an offer of software that does more 
than the docs say (think trojan) or similar mass coercion.

I'd guess that "remove me," "buy now" links and links to external images 
would provide the vectors. Rmail clients I've seen on Linux default to 
no downloading external images.

3. A successful attack means, at worst, a stranger gets to run malicious 
code with your privileges. Unless you do stuff as root, their chances of 
taking over your machine aren't great (provided you're reasomably 
current with your patches). Potentially, they could get some financial 
details including passwords, and email address. They are more likely to 
want to use it for
3a Port scanning others
3b Sending bulk commercial email
3c Controlling others doing 3a or 3b.

Now, how would you set about getting control of lots of boxes?
Port scanning is easy, and you don't have to find Linux users - your 
port scanner just enumerates open ports and then you mount attacks based 
on what you see. Or, you have a bunch of attacks and you just try them 
all (the victim will be less likely to notice a port scan).

Phishing and similar will get a fairly low response rate: if you agree 
Linux users comprise about 5% of the universal set (probably generous), 
KDE about half of those, and maybe half of those don't use Konqueror 
because they don't like it....

It's not impossible, of course, and it may well be that a website 
targetting Konqueror exists, but if I had one, it would be detecting the 
browser and returning content particular to that browser, and that means 
Internet Exploder users would be much more at risk.

You can argue with my numbers (easily, they're mostly guesses), but I 
don't think they're too wildly wrong, but the point that matters most is 
that Linux users aren't a prime or easy target, and the fact these 
critical problems exist does not mean that anyone actually targets them.

Which isn't to say they shouldn't be fixed ASAP, and Linux vendors are 
pretty good there.



-- 

Cheers
John

-- spambait
1aaaaaaa at computerdatasafe.com.au  Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

do not reply off-list

More information about the fedora-list mailing list