[arch-general] current flash vulnerabilities - what to do?

Daniel Micay danielmicay at gmail.com
Thu Jul 16 20:06:05 UTC 2015


On 16/07/15 03:48 PM, Natu wrote:
> On 07/16/2015 05:10 AM, Ben Oliver wrote:
>> I have to agree with Ralf, you will be fine.
>>
>> I have been flash-free for 18 months now and it's going absolutely fine.
>> Unless you have a penchant for flash games, there's very little reason to
>> have it installed any more.
> 
> I totally support phasing out flash, however, I run firefox inside a
> docker container and then I don't have to worry about these security
> issues since I disgard the running container and reload from the saved
> image daily.
> 
> Natu

You do have to worry unless you don't care about it someone grabbing all
of your active login sessions (cookies), all of the entered form data,
etc. There's a reason for browser sandboxes being per-site-instance
instead of trying to wrap the browser as a whole. Most of the
information the attackers want is in the web browser, or can be obtained
there by grabbing passwords and other information like credit card
numbers as they're entered.

Anyway, local privilege exploits in the Linux kernel are as common as
remote Flash exploits. Docker exposes nearly the entire Linux kernel
attack surface to code in the container. It's not much of a sandbox.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150716/ad167022/attachment.asc>


More information about the arch-general mailing list