Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 20 Oct 2014, 09:54
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Update Flash to 10.1?
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 1 Posts_count  
Author Message
Gullible Jones

Joined: 13 Apr 2009
Posts: 6

PostPosted: Tue 27 Jul 2010, 03:03    Post_subject:  Update Flash to 10.1?  

Puppy 501 currently uses Flash 10.0.

This version of Flash is afflicted with a HUGE security hole. An infected Flash applet can immediately compromise a machine with no user interaction at all. Since Puppy has root as the default login, it's possible to install keyloggers and all kinds of other nice things, again with no user interaction.

Now granted, most of the machines I'd consider installing Puppy on are too old to handle Flash, so it's not like they'd ever fall victim. But still, I think it's more than a little shortsighted to not fix such a critical vulnerability.

- For people who use Puppy as a live CD, the integrity of the live system could be compromised through infected Flash applets. People who use Puppy live for financial stuff might not be safe.

- For people who have Puppy installed to their hard drives, the consequences are fairly obvious. It can no longer be considered safe, unless Flash is disabled.

Now I'm not exactly a fan of the single user approach of Puppy... But I will say this - it succeeds wildly where no other Linux distro does in one area, and that area is combining excellent user friendliness with low resource consumption. It is basically the only Linux I would even think of installing on a Pentium II era machine for a novice user. Everything else is either far too slow or far too complicated.

In other words... I really want this project to succeed. But to succeed, I think the developers need to take security very seriously; and since Puppy runs as root by default, which means much fewer barriers against getting hacked than in most distros, that means keeping everything up to date.

Apologies if this post is somewhat incoherent, it's 3:00 AM and I'm tired. I'd just like to see this security hole taken into consideration.
Back to top
View user's profile Send_private_message 
Lobster
Official Crustacean


Joined: 04 May 2005
Posts: 15117
Location: Paradox Realm

PostPosted: Tue 27 Jul 2010, 05:51    Post_subject:  

Quote:
Since Puppy has root as the default login, it's possible to install keyloggers and all kinds of other nice things, again with no user interaction.


It is?
How? Rolling Eyes
Even if patched, Flash includes actionscript
Most browsers also run javascript, just as much potential.

So what is the name of the Linux keylogger
that runs from actionscript or javascript?
Where is it downloaded, how are the permissions changed? Very Happy

Also let us know of anyone or any software specifically
targeting the impoverished hordes of Puppy geeks
running as root and still safe from their own nemesis (themselves). Shocked

I realize you are new here
and may benefit from this FUD link
http://www.murga-linux.com/puppy/viewtopic.php?p=398158#398158

Welcome to the kennels. Smile

Puppy Linux
The root of all fun

_________________
Puppy WIKI
Back to top
View user's profile Send_private_message Visit_website 
disciple

Joined: 20 May 2006
Posts: 6447
Location: Auckland, New Zealand

PostPosted: Tue 27 Jul 2010, 06:23    Post_subject:  

Personally I would like Puppy to be truly multiuser... but all the computers I have control over would always run as root Smile

If Flash runs as root I guess that does sound bad. But does it? And are there real life examples of Puppy machines being exploited in this way? Or other machines? It would be nice if you could provide some references for all this...

Updating Flash might be a good idea in this case, but you need to be careful - Flash is buggy, unstable rubbish, particularly on Linux, so you need to identify and avoid versions that are even more unstable than usual. Or avoid Flash altogether, for a much more enjoyable life Smile

Quote:
But to succeed, I think the developers need to take security very seriously

People who don't like Puppy like to rant about running as root, but it really isn't an issue for the vast majority of users. If by your measure Puppy isn't succeeding at reaching the masses, there are some clear contributing factors (lack of a proper repository, marketing budget=0...), but security isn't one of them.

_________________
DEATH TO SPREADSHEETS
- - -
Classic Puppy quotes
- - -
Beware the demented serfers!
Back to top
View user's profile Send_private_message 
Gullible Jones

Joined: 13 Apr 2009
Posts: 6

PostPosted: Tue 27 Jul 2010, 11:20    Post_subject:  

Hmm, hadn't thought of the Java/Actionscript end of things. How difficult then would it be to write a drive-by malware installer for Linux, using a combination of e.g. a Java applet and a privileg elevation vulnerability? (Or, since we're talking about single user distros, just a Java applet?)

Re the Flash vuln, my understanding is that it was abitrary code execution. So code could be run that would download a package, chmod +x it, and then run it, for instance, without the user's permission.

Re avoiding Flash, that's often impossible unfortunately. Gnash would be nice if it worked, but it doesn't; and Lightspark, though promising, has SERIOUS hardware compatibility issues right now - as far as I can tell it won't work on anything Intel, and I'm not buying a GeForce just to run Flash content. Youtube clients are nice, but they don't work on e.g. blogs with Flash content. Downloaders are nice, but they don't work on random sites with Flash content either, and you have to download the whole video before watching it. You get the idea.
Back to top
View user's profile Send_private_message 
Gullible Jones

Joined: 13 Apr 2009
Posts: 6

PostPosted: Tue 27 Jul 2010, 11:21    Post_subject:  

[Edit: double post]
Back to top
View user's profile Send_private_message 
Lobster
Official Crustacean


Joined: 04 May 2005
Posts: 15117
Location: Paradox Realm

PostPosted: Tue 27 Jul 2010, 16:51    Post_subject:  

Quote:
Hmm, hadn't thought of the Java/Actionscript end of things. How difficult then would it be to write a drive-by malware installer for Linux, using a combination of e.g. a Java applet and a privileg elevation vulnerability? (Or, since we're talking about single user distros, just a Java applet?)


Hi Gullible
As you are probably aware java <> javascript
They are different languages and Puppy does not use java by default
So Puppy is completely invulnerable to a java based 'privilege elevation vulnerability' (whatever that is)

Quote:
Re the Flash vuln, my understanding is that it was arbitrary code execution. So code could be run that would download a package, chmod +x it, and then run it, for instance, without the user's permission.


Cool - if it exists . . .
Do you know of any Flash sites that do this? I would love to visit.
Do they download and activate key loggers especially for penguins?
Do they do this invisibly too?

Quote:
Re avoiding Flash, that's often impossible unfortunately.


Sad but true, unless using an ipad
where it is a feature. Wink
'Updating' Adope Flash as has been pointed out
sometimes is introduces more problems that it secures.

Roll on HTML 5 Smile

_________________
Puppy WIKI
Back to top
View user's profile Send_private_message Visit_website 
Display_posts:   Sort by:   
Page 1 of 1 Posts_count  
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Off-Topic Area » Security
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0906s ][ Queries: 12 (0.0334s) ][ GZIP on ]