Ubuntu FTW!

M

milkweg

[H]ard|Gawd
Joined
Sep 6, 2007
Messages
1,523
Vista did pretty good too though. Had to add that because I was afraid of getting flamed by the Microsoft employees here.

http://www.theregister.co.uk/2008/03/29/ubuntu_left_standing/

"The better take-away is that exploits like these are a fact of life for everyone no matter what kind of machine they choose (are you listening, Mac Guy?). Another lesson: just as quickly as Microsoft or any other developer adds new measures like page protection to their code base, hackers, ethical and otherwise, are find ways to work around them."
 
milkweg said:
Vista did pretty good too though. Had to add that because I was afraid of getting flamed by the Microsoft employees here.
Click to expand...

And I am not one of them, but I must say the finger pointing here goes to Adobe. If they made flash for Linux, you wouldn't be safe anywhere. ;)
 
I thought this comment to that article was the most interesting one:

IE on Vista by default runs under a low-privilege account. Basically all it can do is to access the web and write to a secluded cache on disk. It cannot read or write files anywhere else, not even from/to the logged on user who launched IE. This is called protected mode.

Now, sometimes users need to download and save files and/or upload files (photos etc). To this end Vista uses a "broker process" (called ieuser.exe in the task manager), This broker process implements a few functions such as file saving and reading. The broker process talks to the plugins, which can request its services, but they cannot control it. Even if a plugin is vulnerable to an exploit and the entire IE process is pwned, it is still limited in what it can do by this design.

Linux (Ubuntu) does not have anything akin to this. On the typical Linux Firefox executes under the logged-in users account. If FF gets pwned your userspace is owned and the process may delete/change/ftp your files away. I believe that the same is the case of OS/X.

The Vista model is clearly more secure than running the browser under your own account.

So how did this pwnage of Vista happen, you ask? Because Adobe in their wisdom decided that the standard broker process did not meet their needs. For some reason (documented in the flash "type library") the broker process can read/write/create/delete files and launch applications! (go figure). Such a broker process effectively circumvents *any* security precautions imposed by the protected mode. So, the *extra* security of IE does not help one iota when plugin developers are this stupid. When you do something like this you'd better A) absolutely limit the functionality implemented by the broker process and B) audit the living daylight out of that inherently risky code. I still cannot fathom why Flash should be able to launch applications.

But fact remains that the same APIs exists in Flash on *all platforms*. On Vista it does sits outside the plugin (to break out of the sandbox).

That is why the winner of the Vista machine was confident that he could have used it on Ubuntu or OS/X as well. It was a Flash vuln. Cross platform. He didn't gain admin rights; he just got to execute a process as the logged-on user. All the platforms are vulnerable to this.

But the same API is available.

BTW, the "broker process" on vista is called "Flash Helper" in the task manager. That's accurate, I suppose. It just leaves out that the ones it is helping are the blackhats.
Click to expand...
 
xxEIEIOxx said:
And I am not one of them, but I must say the finger pointing here goes to Adobe. If they made flash for Linux, you wouldn't be safe anywhere. ;)
Click to expand...
It amazes me how bad Flash has gotten since Macromedia was bought out.
 
Another quote from the same article:
Plenty of commentators have made hay of the MacBook Pro being the first to exit the race, and Linux zealots are sure to conclude the contest results prove the superiority of that platform. Maybe. But that's not how it looks to Macaulay, who says with a few hours of tweaking, his exploit will also work on OS X and Linux.
Click to expand...
:rolleyes:
 
That's why I have flash blocked in FF except for sites I trust. I told people on another web forum once that Flash is a security risk and they flamed me and refused to believe me. Two days later a major exploit in Flash was made public. BTW, there is Flash for Linux. I had it installed in Ubuntu for FF so I could view Youtube.
 
Bottom line: Vista performed EQUALLY to Ubuntu here. It gave up user-level access. (But a ton better than that "revolutionary" Leopard system giving up full control)

The issue with it is that Vista should have done BETTER on security than Ubuntu here, but Adobe compromised that.

I know people complain Microsoft already imposes too many restrictions, but I think some more are needed here... If your plugin can't work in the security model provided- screw you...
 
milkweg said:
That's why I have flash blocked in FF except for sites I trust. I told people on another web forum once that Flash is a security risk and they flamed me and refused to believe me. Two days later a major exploit in Flash was made public. BTW, there is Flash for Linux. I had it installed in Ubuntu for FF so I could view Youtube.
Click to expand...

Yes, it seems that every time you turn around there is an exploit for Flash and/or Quicktime. Firefox + NoScript ftw.
 
I just wish they would have done the same with a FreeBSD machine. I am guessing it would have been the same results as the linux box. But then again OSX basicly derived from BSD from my understanding so it could have had the same results as OSX as well. Guess we will never no.
 
Yes, OSX is a Unix OS and is BSD with some Mac in-house tweaking. I've never used it but my guess is that they had to lower security to make it more user friendly.
 
bigdogchris said:
Have you guys noticed a difference between x64 or x86 IE? My vista x64 system has been down due to CPU being bad so I never really had the chance to see if one was quicker.
Click to expand...

I believe x64 is faster. Just cutting out all the flash junk makes it quicker in itself.

I personally still use x86 though. Got tired of having to fire up x86 on occasion for those websites that need flash. That, and things like spell checkers, and other browser plugins, don't work in the x64 version.
 
TechieSooner said:
I believe x64 is faster. Just cutting out all the flash junk makes it quicker in itself.

I personally still use x86 though. Got tired of having to fire up x86 on occasion for those websites that need flash. That, and things like spell checkers, and other browser plugins, don't work in the x64 version.
Click to expand...

Agreed. x64 is just hard to use when nobody is doing anything for it. I am anxious to see the day when there are some working add-ons.
 
I would use IE7x64 if it had flash but like someone mentioned above, I get tired of launching x86 just for a few sites.
 
You must log in or register to reply here.
Back
Top