Whats with the KDE exploit? Is Fedora patched?

Tue Jan 24 16:02:26 UTC 2006

On 1/24/06, John Summerfied <debian at herakles.homelinux.org> wrote:
> Dotan Cohen wrote:
> > I know that News.com is one of those Microsoft cronies, but I quote:
> > "A serious vulnerability has been found in the popular KDE open-source
> > software bundle. The flaw, deemed "critical" by the research outfit
> > the French Security Incident Response Team, could allow a remote
> > attacker to gain control over vulnerable systems."
> >
> >>From here:
> > http://news.com.com/KDE+flaws+put+Linux,+Unix+systems+at+risk/2110-1002_3-6029297.html
> >
> > I'm not subscribed to fedora security lists, I'll go sign up now, but
>
> That's probably more imortant than this one:-)
>
> > I'd like a little info from you guys, as I trust you (certain names
> > like Dalloz, Rahul and others come to mind). Thanks.
>
>
> Now the dust has settled a little, I'll make some points:
> 1. On Linux one normally has a choice of browsers, and a lot of Linux
> people don't use Konqueror.
> 2. The attacker has to get you to visit their site. Typically, this
> would be from a phishing attack or an offer of software that does more
> than the docs say (think trojan) or similar mass coercion.
>
> I'd guess that "remove me," "buy now" links and links to external images
> would provide the vectors. Rmail clients I've seen on Linux default to
> no downloading external images.
>
> 3. A successful attack means, at worst, a stranger gets to run malicious
> code with your privileges. Unless you do stuff as root, their chances of
> taking over your machine aren't great (provided you're reasomably
> current with your patches). Potentially, they could get some financial
> details including passwords, and email address. They are more likely to
> want to use it for
> 3a Port scanning others
> 3b Sending bulk commercial email
> 3c Controlling others doing 3a or 3b.
>
> Now, how would you set about getting control of lots of boxes?
> Port scanning is easy, and you don't have to find Linux users - your
> port scanner just enumerates open ports and then you mount attacks based
> on what you see. Or, you have a bunch of attacks and you just try them
> all (the victim will be less likely to notice a port scan).
>
> Phishing and similar will get a fairly low response rate: if you agree
> Linux users comprise about 5% of the universal set (probably generous),
> KDE about half of those, and maybe half of those don't use Konqueror
> because they don't like it....
>
> It's not impossible, of course, and it may well be that a website
> targetting Konqueror exists, but if I had one, it would be detecting the
> browser and returning content particular to that browser, and that means
> Internet Exploder users would be much more at risk.
>
> You can argue with my numbers (easily, they're mostly guesses), but I
> don't think they're too wildly wrong, but the point that matters most is
> that Linux users aren't a prime or easy target, and the fact these
> critical problems exist does not mean that anyone actually targets them.
>
> Which isn't to say they shouldn't be fixed ASAP, and Linux vendors are
> pretty good there.
>
> Cheers
> John
>

Are you kidding? this was fixed two days before I heard about it. WMF
was fixed a week after I heard about it.

http://technology-sleuth.com/technical_answer/why_are_internet_greeting_cards_dangerous.html