[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: flashplugin-nonfree get-upstream-version.pl security concern

On Thu, 13 Dec 2012, Moritz Mühlenhoff <jmm@inutil.org> wrote:
> Plus, installing Flash opens the Pandora's box anyway

When a user runs a web browser that calls the Flash plugin then that user 
session is exposed to the risk of a compromised Adobe web site etc.  When the 
user visits a potentially hostile web site they are exposed to the risk of 
compromise via a potential bug in the Flash plugin.

But in all cases installing the package should not give a risk of root 
compromise.  If there is a path from installing the Flash plugin (or any other 
package that downloads files) to a root compromise that doesn't involve a 
kernel bug then it's a bug that needs to be fixed.

Admittedly most Linux workstations are single-user systems nowadays which 
means that a user compromise gives almost all the benefits to the attacker of a 
root compromise.  But even so vulnerability to user compromise is no reason to 
be less vigilant about a potential root compromise.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
Reply to: