
Fedora and Ubuntu 0-days show that hacking desktop Linux is now a thing - Liuser
http://arstechnica.com/security/2016/12/fedora-and-ubuntu-0days-show-that-hacking-desktop-linux-is-now-a-thing/
======
234dd57d2c8db
Neat. Some steps that I take on my desktop linux on machines like my work
machine that mitigate this attack:

\- always run your browser in a restricted firejail. this prevents browser
exploits from reading your ssh keys. It also makes it much harder to pivot to
a root shell or maintain a persistent backdoor because the filesystem is
deleted upon jail exit.

\- don't install multimedia applications on sensitive machines. My default
install is ubuntu server with i3-wm,vim,git and other dev tools. No mplayer,
no vlc, no multimedia. I listen to music on my phone if I want to jam out. The
work computer is for work.

\- use snapshotted VMs for interacting with sketchy files such as word docs,
xlsx, mp3s, etc.

\- default deny rules in iptables to block inbound connections

\- static arp entry for the default route to prevent MITM on lan if possible.
I do this on my work machine where the network is well known.

~~~
paulddraper
> always run your browser in a restricted firejail

No persistent cookies, no extensions, no cache.

Having a LastPass browser extension is the biggest step up in my personal
security in a long time.

------
anonbanker
So, this is exploitable if you're running an SNES SPC backend in gstreamer, on
a linux workstation.

That's a big stretch, and a lot of hype for this "0-day". How many people are
going to be realistically affected by this? Why is arstechnica making such
hype about it?

Yes, it's novel that someone's been able to break out of gstreamer's sandbox
using unimplemented (or poorly-implemented) 65816 opcodes, but that's about as
far as it goes.

Thankfully, my Calculate (Gentoo) Linux KDE desktop with a VLC backend is
completely unaffected by this "0-day", and everything on my network is safe.

~~~
m45t3r
This SNES SPC backend is installed by in Ubuntu and Fedora (afaik, almost
every distro that ships Gnome, since Gstreamer is a Gnome dependency).

So yeah, kinda of a hype however the target is pretty big.

~~~
digi_owl
The base problem is that browsers are trying to be friendly by auto-
downloading or auto-playing media files.

If neither of those happened, these exploits could not be automated (though
social engineering would always be an option).

Heck, the download itself is not a problem. The problem is that the DEs, in an
attempt at being "helpful" detect and parse every new file for inclusion into
their search functionality. And the parsing in this instance gets done by
passing the file through gstreamer, and away we go again.

This is idiocy on par with autorun!

------
aiur3la
> While Evans' attacks won't work on most Linux servers, they will reliably
> compromise most desktop versions of Linux...

Nope, patched already in debian and ubuntu.

------
ryanlol
So it wasn't a thing before? But the couple of exploits developed by this guy
made it a thing.

How come it wasn't made a thing by similar exploits developed by others in the
past decades?

Ars writes the strangest things sometimes.

------
finchisko
Can properly setup apparmour/selinux profile help migitate this
vulnearibility?

------
nameless912
This is good for linux!

Right?

~~~
aiur3la
been pretty jealous of my windows and mac friends getting all the nice viruses
lately.

