[arch-general] current flash vulnerabilities - what to do?

Natu incoming-archlinux at rjl.com
Thu Jul 16 20:43:25 UTC 2015


On 07/16/2015 01:06 PM, Daniel Micay wrote:
> On 16/07/15 03:48 PM, Natu wrote:
>> On 07/16/2015 05:10 AM, Ben Oliver wrote:
>>> I have to agree with Ralf, you will be fine.
>>>
>>> I have been flash-free for 18 months now and it's going absolutely fine.
>>> Unless you have a penchant for flash games, there's very little
reason to
>>> have it installed any more.
>>
>> I totally support phasing out flash, however, I run firefox inside a
>> docker container and then I don't have to worry about these security
>> issues since I disgard the running container and reload from the saved
>> image daily.
>>
>> Natu
>
> You do have to worry unless you don't care about it someone grabbing all
> of your active login sessions (cookies), all of the entered form data,
> etc. There's a reason for browser sandboxes being per-site-instance
> instead of trying to wrap the browser as a whole. Most of the
> information the attackers want is in the web browser, or can be obtained
> there by grabbing passwords and other information like credit card
> numbers as they're entered.
>
> Anyway, local privilege exploits in the Linux kernel are as common as
> remote Flash exploits. Docker exposes nearly the entire Linux kernel
> attack surface to code in the container. It's not much of a sandbox.
>

Thanks for pointing this out..  What you say is true.  I actually run
two different firefox browsers, one for secure uses and the other for
random browsing.  One inside of a VM on my desktop (and I revert back to
the base image daily).  The other web browser I run in a docker
container running on a tiny arm box.  The one running on the arm box,
obviously doesn't support flash.  I generally use the one running on the
arm box for online banking/credit cards etc.

I don't know that I even trust openssl anymore.  I used to run chromium,
but got tired of it passing so much information back to google, so I
went back to firefox.  What I run is not an ideal solution.  I'm open to
other suggestions.  I used to love chrome, but got tired of google
spying.  And yes, you have to turn off features in firefox to avoid
similar spying behavior, but it can be done without maintaining your own
version of the source code.



Natu




More information about the arch-general mailing list