[ale] Linux GUI security question

Jonathan Rickman jonathan at xcorps.net
Tue Aug 6 23:03:47 EDT 2002 

On 6 Aug 2002, James P. Kinney III wrote:

> I have been reading the slashdot posted page (
> http://security.tombom.co.uk/shatter.html ) that discusses a serious
> design flaw in  all Microsoft OS products. I wish I understood enough
> code in Linux gui's, KDE and Gnome in particular, to evaluate if they
> were potentially susceptible to problems similar to those discussed in
> the paper. They both use message passing protocols. Gnome uses Bonobo
> which is based on Corba protocols and standards. KDE ditched Corba and
> wrote their own. Both protocols don't appear to run with root level
> privileges. But they do allow easy access to devices such ad CD's and
> modems.
>
> I strongly advocate the replacement of M$ systems for Linux systems for
> nearly use. Is our GUI interface process at risk in this manner?

I doubt it. Is it possible for this type of vulnerability to be introduced
through the use of poor programming practices on the part of the Xfree86
crew? I suppose so. Is it possible for a third party such as the KDE team
to do the same? I don't think so. The thing to remember is that no matter
which direction things take, the GUI is totally separate from the system
on a *nix box and can be run without elevated privs if you desire. With
Windows, it's a whole different story. An awful lot of folks don't seem to
grasp the concept that the author is trying to get across.

Sure, the article has some shortsighted comments, but overall...the
concept is not only valid, it is proven. I've seen it happen firsthand.
Sure, it's not a new concept. It has been known for some time, but I don't
feel like it got enough attention back then. That's why I posted his paper
at my site, and encouraged others to do the same. The word needs to get
out about it so that developers can start thinking about the way they're
doing things. I highly encourage everyone to have a look at it and
consider the implications, regardless of whether you use Windows.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net




---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list