Re: Email based attack on University

To: debian-user@lists.debian.org
Subject: Re: Email based attack on University
From: Andy Smith <andy@strugglers.net>
Date: Mon, 7 Oct 2019 03:21:24 +0000
Message-id: <[🔎] 20191007032124.GJ1278@bitfolk.com>
In-reply-to: <[🔎] 201910030805.27997.rhkramer@gmail.com>
References: <[🔎] dc2186e3-138a-ba0e-3243-fd7766b24db2@gmail.com> <[🔎] abe6bd35-d6ea-d760-80f6-257ba6983e99@gmail.com> <[🔎] 9cfae1b9-ddab-06d3-3212-c973644450b6@affinityvision.com.au> <[🔎] 201910030805.27997.rhkramer@gmail.com>

Hello,

On Thu, Oct 03, 2019 at 08:05:27AM -0400, rhkramer@gmail.com wrote:
> On Thursday, October 03, 2019 06:23:20 AM Andrew McGlashan wrote:
> > There have been numerous bugs with LookOut (otherwise known as
> > Outlook), running scripts and having other vulnerabilities due to
> > preview pane being open.

[…]

> I suppose then, that the same vulnerabilities that you allude to
> are present in (at least older versions of) kmail?

I think it's important to realise that large organisations tend to
enforce a monoculture of office productivity and email applications.
These tend to be large and complex software packages which harbour
many bugs and opportunities for security compromise.

There have been many incidents of the large office suites having
flaws that execute content, even sometimes without any user action
beyond some sort of email preview. This will continue to happen.
Web-based email may even have a better security story, as the
browser security model has at least had a lot of thought applied to
it over time as opposed to standalone large executables.

Realistically therefore, if there was an enterprise mandating a
Linux desktop and mail package to all its users, we probably would
still continue to find security bugs in that email application that
did not rely on the user following a link or maybe not even
explicitly opening a media attachment. You would have to assume such
bugs are present, though possibly as yet undiscovered. Every large
monoculture installation is waiting for their own specific 0-day
exploit.

As previously noted in this thread, blocking execution from the
/home filesystem tree would not help here as in this case it would
either be the email application or a media handler it launches doing
the executing.

There are other security features available in Linux, such as
SELinux and AppArmor, which seek to limit the privileges of
binaries. Conceivably a rigorous use of these could really lock down
a desktop and productivity suite to be much harder to break into.
For example, a media viewer/player could be restricted from writing
to the filesystem or making network calls.

My experience is that very few organisations are willing to spend
the time to define such policies, and in truth I rarely do either,
much beyond what comes as default with the OS. Some even disable
them entirely. But at least the feature is there, and that's the
sort of thing that would be worth exploring if someone is seriously
wanting to lock down this sort of big desktop deployment.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply to:

References:
- Email based attack on University
  - From: Keith Bainbridge <keithrbau@gmail.com>
- Re: Email based attack on University
  - From: Keith Bainbridge <keithrbau@gmail.com>
- Re: Email based attack on University
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Email based attack on University
  - From: rhkramer@gmail.com

Prev by Date: Re: Default Debian install harassed me
Next by Date: Debian 10 Installation &Multi-Boot
Previous by thread: Re: Email based attack on University
Next by thread: Re: Email based attack on University
Index(es):
- Date
- Thread