Linux security

mhearn ulist at gs1.ubuntuforums.org
Sun Apr 30 15:24:08 UTC 2006


> I can only think of one attack vector where Linux is better. In
Windows

> any file with the .exe extension is executable.



However .desktop files do not require this, and can make themselves
appear to be anything they like.



There has been on-again/off-again debate on whether to fix this and
how. I don't think the +X bit achieves anything at all except confusing
users - at no point is the user given more information as why they need
to jump through this hoop, and MIME sniffing already protects somewhat
against .jpg.exe type attacks.



> After thinking hard about this, I can't really see what makes Linux
more

> secure for protecting user data besides having better applications.



Firefox has had several IE-style "instant code execution" exploits in
the past few versions. I don't think it's much safer than IE really:
they're both huge, complex codebases with extremely tight coupling
between JavaScript and the operating system, one via ActiveX and
another via XUL/XPCOM.



Currently I'd say there's nothing protecting Linux against malware and
viruses. It's easy to write a virus that say exploits one of these:



http://www.mozilla.org/projects/security/known-vulnerabilities.html



and which then hooks itself into startup scripts or the session manager
so it can relay spam or do the encrypted-document-ransom thing.



There is research going into how to use SELinux/AppArmor to help
prevent this type of thing but it's early days yet (it's an interest of
mine so I follow it closely and hope to have time to work on it myself
in future).



thanks -mike


-- 
mhearn




More information about the ubuntu-users mailing list