[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: risk



Andy Green wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike McCarty wrote:

| I have ADSL connections, with a D-Link wireless router between
| my box and the ADSL modem. I have disabled the wireless part
| of the router, and removed its antenna. Only the one machine
| is actually connected to the router. I use Mozilla (cookies disabled,
| java disabled) and Thunderbird (use server connections).
|
| So, what is my "vulnerability"?
|
| This is a serious question.

Well the recent libz vuln will allow merely browsing to an evil site to
take over your machine with your main user account privs by sending you
a poisionous .png.  Unless you have updated your libz with the security
update.  Even than anything else with libz compiled in statically is
vulnerable.

Ok, let's suppose for a moment that, while I'm a fairly intelligent guy, I'm pretty ignorant of Linux internals. Could you give me something a little more intelligible. What is a poinsonous .png? I'm using the latest FC2. How can I tell whether I have updated my libz? I used uptodate up to the point where FC2 was no longer being updated.

  And how do you create such a canonical list of apps when
the (small, for zlib) sources may be composed into the app itself?  So
there is only a probability of safety eaten away by uncertainty, you can
never prove there are no vulns so you can never really be certain of
safety.  Particularly all Fedora installs could be compromised by
tampering with upstream source distributions... you can't disprove it
(and let's hope nobody ever proves it!).

I didn't ask how one can prove one is secure. Proving a universal is universally impossible.


"Mozilla" is a giant teetering edifice of everchanging code that you

Oh, come now. If you take that attitude, then Linux and the FSF code is pretty much the same. With that attitude, the selinux is the same. Have *you* looked at all the code in Linux? Have you read and verified the selinux source? Obviously, not. Otherwise there wouldn't be reports against it.

[snip]

Mike

--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]