arstechnica.com/security/2016/12/fedora-and-ubuntu-0days-show-that-hacking-desktop-linux-is-now-a-thing/ >If you run a mainstream distribution of Linux on a desktop computer, there's a good chance security researcher Chris Evans can hijack it when you do nothing more than open or even browse a specially crafted music file. And in the event you're running Chrome on the just-released Fedora 25, his code-execution attack works as a classic drive-by.
>The zero-day exploits, which Evans published on Tuesday, are the latest to challenge the popular conceit that Linux, at least in its desktop form, is more immune to the types of attacks that have felled Windows computers for more than a decade and have increasingly snared Macs in recent years.
>While Evans' attacks won't work on most Linux servers, they will reliably compromise most desktop versions of Linux, which employees at Google, Facebook, and other security conscious companies often use in an attempt to avoid the pitfalls of Windows and Mac OS X. Three weeks ago, Evans released a separate Linux zero-day that had similarly dire consequences.
Mbox is "more secure" using ptrace but it's slower because of it. There's also nothing stopping you from running a vanilla kernel.org kernel that matches the GrSec test patch version and at least using MPROTECT and other basic mitigations.
If you want an incredible secure OS outside of Hardened Gentoo or SubgraphOS then you want Windows with sandboxie and EMET. Last couple of years they put significant OpenBSD protections into their kernel stack (which is why they donate money to them) and they're all on by default, no custom kernel or knob twiddling needed. They (MicroSerf) also paid a shit load of money for manual auditing according to the guy who used to run matasano, and they formally verified all their drivers with proofs of correctness to avoid crashes and exploits.
tl;dr if you're a pleb, Windows (w/Sandboxie + EMET) is the safest OS you can use.
Xavier Sanchez
>ctrl+f gstreamer >1 match >ctrl+f linux >14 matches
it's like Sup Forums cares more about os wars than tech, huh weird
Elijah Cooper
>NIGGERS
Wyatt Howard
>Chrome lmao
Austin Hernandez
A dictionary written by a committee of non-experts appointed by fucking no one has no business in writing definitions for expert topics.
Jacob Cox
The asstechnica still can hire them.
Jackson Gutierrez
>Chris Evans Didn't know that ginger twat could even use computers
David Hernandez
which is a dependency for basically ffmpeg and hardware video acceleraton libraries. So mpv, vlc, totem, blender, vdpau , intel/mesa-va drivers, the list goes on. libgme0 Reverse Depends: libgme-dev libgme-dev libavformat-ffmpeg56 gstreamer1.0-plugins-bad xmms2-plugin-gme qmmp mpd libavformat-ffmpeg56 gstreamer1.0-plugins-bad
Shit-tonnes of software depends on libavformat-ffmpeg56.
Jose Evans
Already patched on Debian and probably the rest as well.
Julian Hall
Linux is often considered more secure? Why?
Tyler Richardson
>I don't know know how dictionaries work And yet you give your opinion. We'll done. This just in, all software ever made is vulnerable to some extent.
William Morales
You just need to not use a DE that would touch those files
I.e.use dwm and gtk2 only
Gnkme-tracker and gnome totem is shite
Xavier Jackson
DESKTOP FAGS BTFO
Juan Myers
> Proofs? JUST FUCKIN' DOWNLOAD THE FILE AND EXECUTE. THE PROBLEM ISN'T THE BROWSER, dumbass
James Long
~ pacman -Ss libgme extra/libgme 0.6.0-5 Video game music file emulation/playback library
~ pacman -Qi ffmpeg Name : ffmpeg Version : 1:3.2.2-1 Description : Complete solution to record, convert and stream audio and video Architecture : x86_64 URL : ffmpeg.org/ Licenses : GPL3 Groups : None Provides : libavcodec.so=57-64 libavdevice.so=57-64 libavfilter.so=6-64 libavformat.so=57-64 libavresample.so=3-64 libavutil.so=55-64 libpostproc.so=54-64 libswresample.so=2-64 libswscale.so=4-64 Depends On : alsa-lib bzip2 fontconfig fribidi glibc gmp gnutls gsm jack lame libavc1394 libiec61883 libmodplug libpulse libraw1394 libsoxr libssh libtheora libva libvdpau libwebp libx11 libxcb opencore-amr openjpeg2 opus schroedinger sdl2 speex v4l-utils xz zlib libass.so=5-64 libbluray.so=1-64 libfreetype.so=6-64 libnetcdf.so=11-64 libvidstab.so=1.1-64 libvorbisenc.so=2-64 libvorbis.so=0-64 libvpx.so=4-64 libx264.so=148-64 libx265.so=95-64 libxvidcore.so=4-64 Optional Deps : ladspa: LADSPA filters [installed] Required By : aubio audacity blender chromium ffmpegthumbnailer ffms2 mpv-light obs-studio Optional For : alsa-plugins audacious-plugins gegl02 youtube-dl Conflicts With : None Replaces : None Installed Size : 28.08 MiB Packager : Maxime Gauduin Build Date : Wed 07 Dec 2016 12:47:48 AM EET Install Date : Wed 07 Dec 2016 11:53:26 AM EET Install Reason : Installed as a dependency for another package Install Script : No Validated By : Signature
not on my machine :^)
Lincoln Gonzalez
it's a gstreamer exploit
so yes, there's actually a pretty good chance as far as desktop linux is concerned
does more or less matter when we're talking about hundreds of millions of users in both cases
Jace Moore
>libavformat-ffmpeg56 is that library vulnerable or something???
Leo Hughes
>Chromium has a sandbox, default Firefox has nothing.
Easton Perez
>about:support What's the Chrome version of this?
Jack Davis
the Ubuntu exploit isn't working on my machine.
anyone got this working? how?
Brody Cook
try chrome://about
Jaxon Robinson
you need an outdated Ubuntu it was fixed yesterday
Noah Morgan
FREETARDS BTFO
Easton Moore
Pwn2Own 2016 didn't even add Firefox to the list this year because breaking out of their "sandbox" was considered too easy, only IE and Chrome(mium).
The FF pdf viewer is also a massive attack surface even with 50.9+ version.
Michael King
>breaking out of their "sandbox" was considered too easy no, nobody can hack firefox. this is why they don't even try to attack firefox
Lucas Anderson
>there's a good chance security researcher Chris Evans can hijack it when you do nothing more than open or even browse a specially crafted music file And how would I open or browse this specially crafted music file? I have NoScript and don't listen to random soundfiles on random websites...
>While Evans' attacks won't work on most Linux servers I run Debian stable, which is considered a 'server' so...
Ryan Carter
>We'll done
Nathan Wright
Not here: [CODE]# emerge -s game-music-emu
[ Results for search key : game-music-emu ] Searching...
* media-libs/game-music-emu Latest version available: 0.6.0-r1 Latest version installed: [ Not Installed ] Size of files: 167 KiB Homepage: bitbucket.org/mpyne/game-music-emu/wiki/Home Description: Video game music file emulators License: LGPL-2.1
