Don't EVER open any unsolicited file you recieve in an e-mail, regardless of file type/extension. I.E. If you didn't specifically ASK someone to send you that particular file, don't open it.
Posted on 12/15/2004 7:00:59 AM PST by holymoly
Ping
Ping
What! a secuity alert for the impenetrable Mac and Linux OSs,say it isn't so.
You would then keep all your important stuff on a separate user account that you never connect to the internet with.
Still a bit of a hassle but maybe it's come to that.
That Ethereal bug is fascinating. To think that it could get nailed by a malformed packet - how odd.
With the low cost of computers these days, maybe you should even set up a separate Internet browsing PC. Collected, sanitized information from the Internet could then be transferred over a secure home network to your actual work PC. If your Internet PC gets blown up by a virus, just rebuild it from a Ghost image on a removable hard drive and keep going. The work PC never gets affected.
Except it's not a flaw in Linux, it's a flaw in a vendor-supplied program. And it will only affect my user - oh no, you executed arbitrary code on my computer as user 'pcg'! Horror! I might lose my ENTIRE mozilla cache! Or maybe those .tar.gz files I could download again from the Internet!
Besides, who uses Acrobat Reader in Unix these days with gpdf and xpdf and similar? *yawn*
That's the thing that always gets me. People always make a big deal about how the malicious code only effects the files in the user account. Those are the only files that matter!
I can reinstall the OS, the application code, all the admin level stuff. It's all on disks supplied to me. But the all the unique stuff, everything the user has ever created is by definition accessible to code that has user level permission. I guess in a multiuser environment you can be consoled that only one user gets screwed.
Maybe there are a lot of people that just use their computer as a dumb terminal for connecting to the internet. But I have financial records, web design templates/graphics, reports I've written for graduate school, tons of programing/scripting examples I keep for reference, digital photos, etc.. I keep backups of most of this because this is the stuff that matters!
Slightly OT, but does anyone know how to report malware to MS? I had a colleague (so I thought anyway) send me a jpg by email the other day that was a bit more than it appeared. I did all of the standard stuff...checked extensions before opening, virus-scanned it, etc, and it came up clean, but when I opened it my entire system crashed HARD (explorer GPF'd...something I haven't seen Windows do in years). I ended up having to power-cycle a reboot. When my machine came up clean on a subsequent virus/malware scan, I checked it out a bit more (hey, I'm a computer programmer, so I have a bit of appreciation for a well written, non-destructive hack). I saved the file onto my desktop and when I minimized Outlook to start checking it out...without even opening the file...the system GPF'd again and had to be rebooted. I couldn't even log in to delete the file without it crashing my computer within moments. Booted into safe mode...same thing again.
I ended up having to dust off my boot floppy and delete the file from the command line to get rid of it. A little postmortem seemed to indicate that the JPEG was exploiting some kind of flaw in the feature that Win2k and WinXP utilizes to draw a thumbnail of an image to use as its icon. I'm fully patched up and am pretty sure that this isn't a known bug, but I don't know where this should be reported to. I knew how to delete it, but others may not be so lucky.
Uh, you do back up your data don't you? If not you're waiting to get nailed. It could be something malicious, or a power outage, but you'll buy the farm (computationally speaking) eventually.
Rogue userspace programs are a heck of a lot less dangerous to your system than programs that can set up a spammer daemon, or randomly start attacking other systems on your network.
This is the problem with most windows installations. Far too much code effectively runs as administrator, so when subverted, it is far more dangerous.
I bet the Ethereal bug applies to the Windows version. I couldn't imagine a Linux version of Ethereal having such a bug. If it is the Windows version, I believe they warn that Ethereal running on Windows isn't entirely stable.....it's been awhile since I've downloaded it for Windows, so I could be mistaken.
Exactly. Sure, permissions can help protect against esoteric attacks like replacing system libraries, but for simple stuff like wiping all your documents, or worse, emailing them to somebody in Russia, you don't need any elevated privileges.
The only solution I can see is fine-grained access controls for all applications. If something claim to be a password management utility, it has no business even looking in my address book, let alone opening network connections, and the OS should enforce that.
Nobody claims Linux and Macs are impenetrable, except the strawmen in the minds of Windows advocates.
Uh, if you happen to look at the last sentence in my reply you will see:
"I keep backups of most of this because this is the stuff that matters!"
Exactly. Which is why I also keep backups. But who wants to bother with that whole silly tape or backup hard drive thing - I just back up to my server on the Internet and let THOSE tape backups do their thing, just in case.
I've had one desktop go into storage and two laptops go completely kaput (no little annoying buffer overflow/malicious code injection, but completely dead) in the last couple of years. Never lost a thing. Never had more than about 10 minutes (while I reinstalled Linux) without all of my files. It's a beautiful thing.
BTW, you're right here - user-level permission is enough to wreak havoc on a system. You're also right about the multiuser environment, and I've had to be consoled when one dumb user has his password guessed on our multiuser work machine. So I *am* coming at it from a slightly different perspective...
I'm just poking a little fun at the users of these "superior" alternative OSs.Remember,Bill Gates is the devil, and one can only achieve true enlightenment through Linux or OS X.Actually Operating systems and their vulnerabilitys would be almost a non issue if people would learn a simple golden rule, if it's important to you save it to disk.
I dont keep large amounts of data on my hard drive and never have but if I did I would get a large external hard drive and just unplug it when not in use.Or if you have an old computer laying around the house just use it for stuff you don't need internet access for.You could easily transfer data to it via CDR or other removable media and virus/spyware scan it at both ends.You could even hook both up to a switcher and run them side by side with one monitor,keyboard and mouse.
BUMP!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.