digg

Facebook Connect Join Digg About

KDE flaws put Linux, Unix systems at risk

news.com.com A serious vulnerability has been found in the popular KDE open-source software bundle. The flaw, deemed "critical" by the research outfit the French Security Incident Response Team, could allow a remote attacker to gain control over vulnerable systems.

Who dugg this? Made popular Jan 21, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

75 Comments

show profanity settings
expand all
  • rbochan, on 10/12/2007, -0/+11And all the major distros already had it patched...

    http://lwn.net/Articles/168628/

  • inactive, on 10/12/2007, -0/+9Looks like Linux distributions are much faster at patching their products than Microsoft is.
  • Tsuroerusu, on 10/12/2007, -0/+3I received a patch from the security team at SUSE abouu 20 mins. after I first got notified about this hole.

    So SUSE can patch a critical hole in 25 mins. and Microsoft in 1 month....... Tells you something about responsiveness!
  • Ramble, on 10/12/2007, -0/+3"And Konqueror as a web browser?"
    Yes, it's called Safari.
  • takeda, on 10/12/2007, -0/+2@nagone:
    Unlike Firefox, Konqueror passes the ACID 2 test, so it's more w3c standards complaint than FF.
    I think that's an advantage
  • teece, on 10/12/2007, -0/+2If you use KDE as a desktop, Konqueror is a much better browser than Firefox. It's much more responsive, much less memory intensive, much more integrated with KDE, and much more feature-rich.

    It's a great browser. When I used to use a Linux box as my primary desktop, Konqueror is the browser I'd use.
  • MrGeneric, on 10/12/2007, -0/+2Who looks at www while logged on as root anyway?
  • blixel, on 10/12/2007, -0/+2"why would any one use Konqueror when they could just use firefox."

    Don't be an apologist. It doesn't matter if people ARE using Firefox instead of Konqueror. The hole was there, and it needed to be fixed. (Which it was. Way to hustle.)

    Personally, I prefer OpenBox over KDE/Gnome. But just because I'm unaffected by a flaw in Konqueror doesn't mean I shouldn't care if it ever gets fixed. KDE, hence Konqueror, is an Open Source application. And I'm an Open Source advocate.
  • stoops, on 10/12/2007, -0/+2lol, I can't believe the hype one flaw found in a *nix based system causes. Imagine if it was the same for every Windows flaw, everyone would be going crazy constantly. I just have to say I have stopped using Windows for the past 5-6 years and will probably not use it in the future either. I'v had no problems since ;)
  • DiGiTaLFX, on 10/12/2007, -0/+2Wow its amazing to see how quickly thats been fixed!
  • smiley2billion, on 10/12/2007, -0/+1"I'm sure there's powerful open-source tools for open-source o/s's, but guess what? Linux has commercial software too ... look at the giants like Redhat and Novell; is that free?" -pcgeek101

    I didn't see anyone respond to this so I'll bite.

    The "giants" like Redhat and Novell DO throw their products out for free. Take a look at opensuse.org or the fedora project. Not only are they free but you also get the added bonus of a great support community. I'm not trying to flame or be a fanboy but honestly Microsoft does NOT give out their core OS for free. Not only do people like Ubuntu let you download their OS for free, they'll send you as many pressed cd copies as you like... for free, no shipping cost, no nothing.

    As a side note, just used the SuSE updater to get the java fix in KDE.
  • mancat, on 10/12/2007, -0/+1"Unix has something called a security model. Windows kind of has one, but always sacrifices security whenever it might cause an end-user a little bit of trouble."

    Windows does not "kind of" have a security model, NT has an excellent security model. Compared to standard Unix file permissions, NT file and object ACLs are miles ahead. Yes, ACLs exist in most modern commercial and open-source Unix systems. You will rarely see them used in most environments.

    The problem with Windows' security model is that up until now, Microsoft has chosen not to allow home users to reap the benefits of it. Vista provides an excellent compromise between security, usability, and compatibility with file and registry virtualisation that will allow many badly-written software packages to run with least possible priveleges.

    Still, people continue to throw these advantages out of the window - look at any Vista forum, and you'll see many questions about how to disable LUAs or UAPs because they "get in the way." Apparently, an administrative password dialog box is far too much for these folks to handle. Users continue to show that they are the largest security issue with any operating system.

    Despite the overwhelmingly secure underpinnings of Unix, many users manage to ignore security on that platform as well. The Unix security model does not help when clueless users choose to log into KDE as root. Again, you can look at many Linux/Unix help forums, and quite often will be a request on how to log in to Gnome, KDE, etc. as root, mostly because the user does not understand the difference between a normal user account and root, or simply does not care.

    Administrators do not care sometimes, either. I recall using a Solaris system at SUNY Stony Brook in '99 or so. This was a large machine that usually had around fifty users logged in at any given time, doing anything ranging from reading mail with pine, compiling source code for course assignments, or chatting with irc. Located all over the system were were a number of applications installed with setuid priveleges that were not required. Hotfixes were not being applied. Disk quotas consisted only of soft limits. The system was easily crackable, despite the Unix security model you so praise. Not that this can't happen with Windows; Windows administrators are often the most clueless of the bunch. It just shows that even an advanced security model does not always save you.
  • FaNtAsMa, on 10/12/2007, -1/+2I'll be sure to watch out for the whole 10 people in the world that are trying to exploit this flaw.
  • teece, on 10/12/2007, -0/+1Jeebus, just stuff it, jackspack.

    Unix has something called a security model. Windows kind of has one, but always sacrifices security whenever it might cause an end-user a little bit of trouble.

    That makes all the difference, and if you don't understand that, you really should just quit spouting off (and hint: you don't understand it).
  • pholower, on 10/12/2007, -2/+3Most people use FireFox, and on top of that, how many remote attackers do you know of that aim at Linux boxes in the first place?
  • ConceptJunkie, on 10/12/2007, -0/+1Looks like Linux distributions are much faster at patching their products than Microsoft is.

    Yes, but MS is much faster at making flaws.

  • spamdies, on 10/12/2007, -0/+0i thought the french made open source software illegal in their county......
  • dharm, on 10/12/2007, -0/+0"go look at CERT and see that WEEKLY there are more holes discovered in *nix than anything else"

    yes, go look at CERT.. and notice how most vulnerabilities are posted only for nix, while the vulnerability is cross platform, CERT is a joke... but atleast they are smart at what servers they are running themselves... they run linux, and even better some of their mirrors run freebsd, only 1 mirror runs windows 2000

    according to http://www.sans.org/top20/ look at top 5 windows vulnerabilities... they are all part of the core system

    while linux vulnerabilities are mostly 3rd party applications that exist both in windows and nix enviroments...

    "Just take a look at the WMF patch ... they had that released in a matter of days, and it was even released ahead of schedule."

    riight... 7 days after? they are fast...

    -

    yes there may be more vulnerabilities found, but atleast they are patched quickly... dont get me wrong though, i love using windows on my laptop, and never had virii, and never been exploited, if you know how to run your system,, it will run great no matter what OS

  • BT-Wang, on 10/12/2007, -0/+0and still, nobody runs kde as root (RIGHT?!) so in this case, critical isn't really critical now, is it?

    konqueror is great, apart from this javascript crap it has been very secure, renders pages very quickly and has a much smaller codebase than firefox.

    I haven't used firefox since 1.5 was released, I have several gripes with the release and will consider going back once my issues are resolved. if this hole weren't patched I'd go to the mozilla suite or a gecko hack like galeon.
  • stoops, on 10/12/2007, -0/+0Next Headline: Windows is going OpenSource in Order to Respond to Holes Faster (Yea Right, gotchya!)
  • inactive, on 10/12/2007, -1/+1why open source rocks my socks
  • Tsuroerusu, on 10/12/2007, -0/+0"why would any one use Konqueror when they could just use firefox."

    I use Konqueror when I'm reading RSS feeds with Akregator, because it comes up like instantly, it just snaps on the screen. Firefox takes about 4 secs to bring up, which frustrates me sometimes.
  • chicken101, on 10/12/2007, -0/+0Nice to see the flaw gets fixed in a matter of hours...
  • davidleeroth, on 10/12/2007, -0/+0Konqueror is a file system browser also.. that's why people use it. I like it over Nautilus anyday, but I myself use Gnome,
  • Twoism, on 10/12/2007, -0/+0GNOME's where it's at.
  • recover82, on 10/12/2007, -0/+0*nix stories always create quite the comments/arguments
  • nukey, on 10/12/2007, -0/+0"you people are ***** stupid if you think nix is any better or more secure just because you THINK there are less holes....as i always say, go look at CERT and see that WEEKLY there are more holes discovered in *nix than anything else."

    I wonder what would happen if Windows would become open-source......
  • karamba_kid, on 10/12/2007, -0/+0patched this yesturday, as I do use Konqueror for my webbrowser for most things (feels less clunky than firefox on my machine) But yeah patched before there were any known exploits, unlike Microsoft which usually only patches after there are exploits in the wild, since they seem to beleive in security through obscurity.
  • dharm, on 10/12/2007, -0/+0>IE isnt really part of the core system either

    yes it is... alot of windows components use it for internet, i am not meaning actually access the internet, i am talking about just the ability to be able to connect to the net, remove IE, and you are hooped
  • ACalcutt, on 10/12/2007, -0/+0-and the linux/micorsoft flame war continues-

    LOL
  • Mwd500, on 10/12/2007, -0/+0wow they patch their stuff fast, very impressive
  • dharm, on 10/12/2007, -0/+0whoops... my bad, that one i said above was iis5...

    >please show me the last time an exploit was found in IIS 6

    Release Date : 2005-08-23

    A vulnerability was identified in Microsoft Microsoft Internet Information Services (IIS), which could be exploited by malicious users to conduct spoofing attacks. This flaw is due to an error when handling the "SERVER_NAME" variable, which could be exploited by remote attackers to spoof this variable and disclose sensitive information (ASP source code).

    no patch?
  • dharm, on 10/12/2007, -0/+0>SQL is a much mors secure database than oracle

    might be straight out of the box, but not after tuning... i am an OCP DBA... thats what i get payed for, not plug'n'play dba with sql server...

    and why mention oracle at all? its cross platform, and has nothing todo with the discussion...

    same thing can be said for apache. after tuning, it will be securer than iis, and will be more efficient... (and i am saying this while i hate apache, there are a few i see better)
  • dharm, on 10/12/2007, -0/+0>please show me the last time an exploit was found in IIS 6

    Dec. 17th, 2005: Microsoft IIS Remote DoS .DLL Url exploit
  • jackspack, on 10/12/2007, -1/+0dharm

    office is not part of the core system
    IE isnt really part of the core system either - it is offered as the default browser in the package. Try to remember that Windows is offered as a complete package and of course your going to see more "core" vulnerabilities if you use the term core to describe what is sold off the shelf. Think about - if you take IE out of the picture, Windows is just if if not more secure than *nix. SQL is a much mors secure database than oracle, exchange is a much more secure email server than sendmail or netscape/sun messenger, IIS 6.0 (out of the box even) is a much more secure web server than apace (and please show me the last time an exploit was found in IIS 6).
    So save your spin doctor nunber massaging for the RNC because I don't buy it. I work with both OS's and know the deal.
  • syuusuke, on 10/12/2007, -1/+0BSD mang
  • jackspack, on 10/12/2007, -1/+0teece - so explain this "security model" you speak of.

  • inactive, on 10/12/2007, -1/+0KDE is a risk in its self and has been for some time!
  • jackspack, on 10/12/2007, -1/+0well, just keep the faith pcgeek - all you need to do is keep on top of the OS's you work with. an os is only as secure as the persistance of those who support it.

    part of me hopes this ***** get their wish and every bonehead user starts installing *nix based os. So when the time comes that a major flaw is found and exploited, these idiots wont know how to properly patch it, then everyone gets hit and the Net goes dead.
  • Googled, on 10/12/2007, -1/+0wow this is pretty *cool* never heard of a main stream flaw like this in *nix
  • inactive, on 10/12/2007, -2/+1"The vulnerability lies in the JavaScript interpreter engine"

    Good old javascript. I turn it off for viewing most sites anyway, as I hate java, javascript, flash, and other such annoying toys some sites love to thrust into the viewers eyes.
  • carguy84, on 10/12/2007, -1/+0Where's the KDE Update button on the start menu, I can't find it.
  • jackspack, on 10/12/2007, -1/+0drewjoh - and when your ass gets hacked, and all your data is gone - you're right, you wont have anything to worry about
  • link_36p, on 10/12/2007, -1/+0it says u have to visit a web page with konqueror, i dont even use it for web browsing :p (firefox baby :)
  • drewjoh, on 10/12/2007, -1/+0Most people use Windows, so I guess we don't have too much to worry about.
  • pcgeek101, on 10/12/2007, -1/+0Well, like I said, I've got nothing *against* open-source software, it just bugs me that people are such zealots about it. There's this whole cult that is against Microsoft just because they charge a few bucks for their software (mostly targeted at businesses anyway). I think a large reason that most people are completely blind to how powerful/robust the Windows o/s is, is because they simply don't work with it at a very low level. As a systems administrator responsible for over 200 desktop computers, I wouldn't desire to manage any other operating system, because Windows makes it so easy for me to make changes to large numbers of computers, and manage updates using different tools. I'm sure there's powerful open-source tools for open-source o/s's, but guess what? Linux has commercial software too ... look at the giants like Redhat and Novell; is that free?
  • pcgeek101, on 10/12/2007, -1/+0I use open-source software on my Windows system. I have nothing against open-source. I'm just saying that it's really lame to think you're "kool" because you "hate" Microsoft. They make fine products that cost money ... it's called business.
  • nagone, on 10/12/2007, -2/+1why would any one use Konqueror when they could just use firefox. It seems to me that Konqueror is the same as IE. Konqueror is the gui that is used to browse file systems and a web browser, that's just asking for trouble.
  • antiwmac, on 10/12/2007, -1/+0gahh accidentally pressed submit :(
    what I was trying to say is in this case,
    KDE serious flaw found, and patched.
    and it's not KDE serious flaw found, people are begging to KDE developers to make a patch.
  • antiwmac, on 10/12/2007, -1/+0serious flaw found, unix systems NOT at risk, because most of smart unix users keeps track at security, and updates or patch them through package-management-system. or some even have package-management's update run everyday with cron, (for eg, emerge -u world in cron.

    the
    remember, kde flaw found, and patched.
  • Fetching more discussions...
    Show 51 - 75 of 75 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.