risk

[Andy Green]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike McCarty wrote:

| I have ADSL connections, with a D-Link wireless router between
| my box and the ADSL modem. I have disabled the wireless part
| of the router, and removed its antenna. Only the one machine
| is actually connected to the router. I use Mozilla (cookies disabled,
| java disabled) and Thunderbird (use server connections).
|
| So, what is my "vulnerability"?
|
| This is a serious question.

Well the recent libz vuln will allow merely browsing to an evil site to
take over your machine with your main user account privs by sending you
a poisionous .png.  Unless you have updated your libz with the security
update.  Even than anything else with libz compiled in statically is
vulnerable.  And how do you create such a canonical list of apps when
the (small, for zlib) sources may be composed into the app itself?  So
there is only a probability of safety eaten away by uncertainty, you can
never prove there are no vulns so you can never really be certain of
safety.  Particularly all Fedora installs could be compromised by
tampering with upstream source distributions... you can't disprove it
(and let's hope nobody ever proves it!).

"Mozilla" is a giant teetering edifice of everchanging code that you
have never seen piled on top of megabytes libraries you never heard of
and do not even have the source for on your machine.  You have no idea
what that composite mishmash is going to REALLY do when you run it, if
it comes up with a browser you assume all is well.  But you (and the
rest of us as users) really know NOTHING about the true list of things
it does that might expose you to danger.  We certainly have no idea of
all the hands that particular source tree (and that of the libs) has
been through before the guy at Redhat compiled and signed it.  We can't
know all the vulns like zlib buffer overflows that are yet to be found.

Really the only way to cope with this is to accept that you could have
been compromised at any time - already.  Not to assume you are safe
because you turned off this or that feature.

- -Andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFC1UKdjKeDCxMJCTIRAgKSAJ4wIwlm2DRPgaq08OPgEfPjDEtoeQCfVez/
sGZ+s3+x1E+P3n5tPmLeZiQ=
=QQ9a
-----END PGP SIGNATURE-----