Re: flashplugin-nonfree get-upstream-version.pl security concern
On Thu, 13 Dec 2012, Moritz Mühlenhoff <jmm@inutil.org> wrote:
> Plus, installing Flash opens the Pandora's box anyway
When a user runs a web browser that calls the Flash plugin then that user
session is exposed to the risk of a compromised Adobe web site etc. When the
user visits a potentially hostile web site they are exposed to the risk of
compromise via a potential bug in the Flash plugin.
But in all cases installing the package should not give a risk of root
compromise. If there is a path from installing the Flash plugin (or any other
package that downloads files) to a root compromise that doesn't involve a
kernel bug then it's a bug that needs to be fixed.
Admittedly most Linux workstations are single-user systems nowadays which
means that a user compromise gives almost all the benefits to the attacker of a
root compromise. But even so vulnerability to user compromise is no reason to
be less vigilant about a potential root compromise.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Reply to: