Update Flash to 10.1?

For discussions about security.
Post Reply
Message
Author
Gullible Jones
Posts: 6
Joined: Mon 13 Apr 2009, 22:36

Update Flash to 10.1?

#1 Post by Gullible Jones »

Puppy 501 currently uses Flash 10.0.

This version of Flash is afflicted with a HUGE security hole. An infected Flash applet can immediately compromise a machine with no user interaction at all. Since Puppy has root as the default login, it's possible to install keyloggers and all kinds of other nice things, again with no user interaction.

Now granted, most of the machines I'd consider installing Puppy on are too old to handle Flash, so it's not like they'd ever fall victim. But still, I think it's more than a little shortsighted to not fix such a critical vulnerability.

- For people who use Puppy as a live CD, the integrity of the live system could be compromised through infected Flash applets. People who use Puppy live for financial stuff might not be safe.

- For people who have Puppy installed to their hard drives, the consequences are fairly obvious. It can no longer be considered safe, unless Flash is disabled.

Now I'm not exactly a fan of the single user approach of Puppy... But I will say this - it succeeds wildly where no other Linux distro does in one area, and that area is combining excellent user friendliness with low resource consumption. It is basically the only Linux I would even think of installing on a Pentium II era machine for a novice user. Everything else is either far too slow or far too complicated.

In other words... I really want this project to succeed. But to succeed, I think the developers need to take security very seriously; and since Puppy runs as root by default, which means much fewer barriers against getting hacked than in most distros, that means keeping everything up to date.

Apologies if this post is somewhat incoherent, it's 3:00 AM and I'm tired. I'd just like to see this security hole taken into consideration.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#2 Post by Lobster »

Since Puppy has root as the default login, it's possible to install keyloggers and all kinds of other nice things, again with no user interaction.
It is?
How? :roll:
Even if patched, Flash includes actionscript
Most browsers also run javascript, just as much potential.

So what is the name of the Linux keylogger
that runs from actionscript or javascript?
Where is it downloaded, how are the permissions changed? :D

Also let us know of anyone or any software specifically
targeting the impoverished hordes of Puppy geeks
running as root and still safe from their own nemesis (themselves). :shock:

I realize you are new here
and may benefit from this FUD link
http://www.murga-linux.com/puppy/viewto ... 158#398158

Welcome to the kennels. :)

Puppy Linux
The root of all fun
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

disciple
Posts: 6984
Joined: Sun 21 May 2006, 01:46
Location: Auckland, New Zealand

#3 Post by disciple »

Personally I would like Puppy to be truly multiuser... but all the computers I have control over would always run as root :)

If Flash runs as root I guess that does sound bad. But does it? And are there real life examples of Puppy machines being exploited in this way? Or other machines? It would be nice if you could provide some references for all this...

Updating Flash might be a good idea in this case, but you need to be careful - Flash is buggy, unstable rubbish, particularly on Linux, so you need to identify and avoid versions that are even more unstable than usual. Or avoid Flash altogether, for a much more enjoyable life :)
But to succeed, I think the developers need to take security very seriously
People who don't like Puppy like to rant about running as root, but it really isn't an issue for the vast majority of users. If by your measure Puppy isn't succeeding at reaching the masses, there are some clear contributing factors (lack of a proper repository, marketing budget=0...), but security isn't one of them.
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER

Gullible Jones
Posts: 6
Joined: Mon 13 Apr 2009, 22:36

#4 Post by Gullible Jones »

Hmm, hadn't thought of the Java/Actionscript end of things. How difficult then would it be to write a drive-by malware installer for Linux, using a combination of e.g. a Java applet and a privileg elevation vulnerability? (Or, since we're talking about single user distros, just a Java applet?)

Re the Flash vuln, my understanding is that it was abitrary code execution. So code could be run that would download a package, chmod +x it, and then run it, for instance, without the user's permission.

Re avoiding Flash, that's often impossible unfortunately. Gnash would be nice if it worked, but it doesn't; and Lightspark, though promising, has SERIOUS hardware compatibility issues right now - as far as I can tell it won't work on anything Intel, and I'm not buying a GeForce just to run Flash content. Youtube clients are nice, but they don't work on e.g. blogs with Flash content. Downloaders are nice, but they don't work on random sites with Flash content either, and you have to download the whole video before watching it. You get the idea.

Gullible Jones
Posts: 6
Joined: Mon 13 Apr 2009, 22:36

#5 Post by Gullible Jones »

[Edit: double post]

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#6 Post by Lobster »

Hmm, hadn't thought of the Java/Actionscript end of things. How difficult then would it be to write a drive-by malware installer for Linux, using a combination of e.g. a Java applet and a privileg elevation vulnerability? (Or, since we're talking about single user distros, just a Java applet?)
Hi Gullible
As you are probably aware java <> javascript
They are different languages and Puppy does not use java by default
So Puppy is completely invulnerable to a java based 'privilege elevation vulnerability' (whatever that is)
Re the Flash vuln, my understanding is that it was arbitrary code execution. So code could be run that would download a package, chmod +x it, and then run it, for instance, without the user's permission.
Cool - if it exists . . .
Do you know of any Flash sites that do this? I would love to visit.
Do they download and activate key loggers especially for penguins?
Do they do this invisibly too?
Re avoiding Flash, that's often impossible unfortunately.
Sad but true, unless using an ipad
where it is a feature. :wink:
'Updating' Adope Flash as has been pointed out
sometimes is introduces more problems that it secures.

Roll on HTML 5 :)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

Post Reply