WebKit security holes haunt Ubuntu

WebKit security holes haunt Ubuntu

Summary: According to an Ubuntu security alert, the WebKit flaws are dangerous enough to cause arbitrary code execution attacks.

SHARE:
52

The Ubuntu Linux operating system has been refreshed to fix multiple WebKit flaws that expose users to malicious hacker attacks.

According to an Ubuntu security alert, the flaws are dangerous enough to cause arbitrary code execution attacks.

From the alert:

A large number of security issues were discovered in the WebKit browser and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

follow Ryan Naraine on twitter

Ubuntu documents 22 different vulnerabilities affecting Ubuntu 10.10 and Ubuntu 10.04 LTS.

A separate vulnerability in the open-source operating system was also fixed to block an issue that lets attackers use eCryptfs to unmount arbitrary locations and cause a denial-of-service condition.

It was discovered that eCryptfs incorrectly handled permissions whenmodifying the mtab file. A local attacker could use this flaw to manipulate the mtab file, and possibly unmount arbitrary locations, leading to a denial of service.

The ecryptfs-utils vulnerability affects Ubuntu 11.04, Ubuntu 10.10 and Ubuntu 10.04 LTS.

Topics: Security, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

52 comments
Log in or register to join the discussion
  • Good work Ryan

    I can't find you on Google Plus--are you there?
    Dietrich T. Schmitz *Your
    • RE: WebKit security holes haunt Ubuntu

      >>>I can't find you on Google Plus--are you there?

      Nay. No social networks for me. Only http://twitter.com/ryanaraine
      Ryan Naraine
      • "No social networks for me.

        @Ryan Naraine This statement is very interesting coming from one of ZDNet's security writers. Is there a security reason behind this? If so, it would make for interesting reading.

        P.S. Apologies for off-topic post.
        Rabid Howler Monkey
      • @Ryan: instead of trying to just spread FUD

        @Ryan Naraine .. why didn't you include any mitigation strategies for those folk that use Ubuntu 10.xx (or later)?!? Oh, i almost forgot .. ZDNet is an online tabloid.<br><br>Because let's face it, if you were genuinely concerned with the implications of the vulnerabilities, you would have .. but since you're obviously working with an agenda, hey .. that gets you page hits via click bait - and zero credibility.<br><br>So without further ado, for those that got absolutely nothing from Ryan's crappy write-up in the way of mitigation strategies, try some basic, self-help steps:<br><br>(1) Ensure you install the auto updates (these will typically be alerted to you shortly after Ubuntu starts up - via a pop up alert).<br><br>(2) Open an instance of the terminal / console and check the status of all apparmor profiles, by typing at the prompt:<br><br> [b]sudo apparmor_status[/b]<br><br>then press 'return' (Enter) <br><br>(3) If you haven't already, for Konqueror and Chrome (if you have Chrome installed), you can (actually I highly recommend you do) put both profiles in enforce mode:<br><br>example:<br><br> [b]sudo aa-enforce /path/to/bin[/b] <br><br>(where you replace '/path/to' with the path to the application profile - and any related profiles: for example, Chrome can have 1 primary and anywhere between 3-4 related, sub-profiles)<br><br>Once this is complete, exit the console. Having carried out these steps, you will have gone a long way towards ensuring attack vectors like this are dead to rights.<br><br>Regards
        thx-1138_
    • RE: WebKit security holes haunt Ubuntu

      @Dietrich T. Schmitz * Your Linux Advocate
      G+ is dead.
      biobiobio
      • RE: WebKit security holes haunt Ubuntu

        @biobiobio he needs a tissue for the nose.
        ItsTheBottomLine
    • RE: WebKit security holes haunt Ubuntu

      @Dietrich T. Schmitz * Your Linux Advocate

      Crickets, huh? LOL
      TechNickle
    • RE: WebKit security holes haunt Ubuntu

      @Dietrich T. Schmitz * Your Linux Advocate
      Dietrich, let me ask you - if one is using Firefox as their browser in Ubuntu, is Webkit still in the picture?
      ejhonda
  • that's FUD

    since they are already patched.
    The Linux Geek
    • Yes, but when did Ryan last write anything about Ubuntu?

      @The Linux Geek

      He reports with the word 'refresh' at the top of his post.
      Dietrich T. Schmitz *Your
      • The article title says "haunts" it then references two old versions

        The is article is FUD. The title is misleading. It is not haunting Ubuntu if it was patched, especially considering that 12.04 is the current LTS and 12.10 is the latest version. 10.04 and 11.04 are old.
        T1Oracle
    • RE: WebKit security holes haunt Ubuntu

      @The Linux Geek Tell me again about conficker and other Microsoft ghost stories that you tell around the campfire.
      Your Non Advocate
      • RE: WebKit security holes haunt Ubuntu

        @facebook@... The Linux Geek doesn't need a campfire to generate hot air.<br><br>@The Linux Geek Canonical may have generated the patches for Ubuntu, but the users still need to apply them to their systems. Consider this warning a heads up, just like with Windows and Mac OS X patches.
        Rabid Howler Monkey
    • RE: WebKit security holes haunt Ubuntu

      @The Linux Geek <br><br>I don't think Ryan was trying to spread FUD so much as he was trying to inform, however, upon reading this article I just knew (maybe I'm a touch psychic?) that the Linux hater's would jump all over this citing that Linux isn't more secure after all.<br><br>Trolls and MS fanbois, more secure does not suggest completely secure. If any Linux fanboi tries to tell you Linux is completely secure just ignore them. They either don't know what they are talking about or are deliberately baiting you to see if you can make some equally ridiculous statements. You seldom disappoint.<br><br>I'll clarify a few points though on the scope and severity of these security holes. Webkit is not Linux. It is a browser component that runs on Windows and Mac as well. JavaScript too, is cross platform code that has been known for its occasional security holes on all platforms including Microsoft and Apple.<br><br>The eCryptfs issue would only affect servers using eCryptfs encrypted file systems and, read carefully: "A local attacker could use this flaw to manipulate the mtab file, and possibly unmount arbitrary locations, leading to a denial of service." Local meaning someone with local access to the server which would require some other breach of security to gain.
      techadmin.cc@...
    • RE: WebKit security holes haunt Ubuntu

      @The Linux Geek I do get a kick out of reading the posts from the various Linux Dorks here. It's especially funny how you guys love to rant and rave about Windows flaws that were patched years ago, as if they still matter, but then it is "spreading FUD" to talk about a Linux flaw that was only patched very recently.

      Every time there is a "Patch Tuesday" article here, you guys jump all over it, criticizing Windows for having the flaws that are being patched. And when someone like Loverock Davidson points out that those flaws are "non-issues" now because they have been patched, you call him an idiot. Yet, here we have an article talking about Linux flaws that have been patched, and you immediately declare that this is "spreading FUD" to talk about flaws that have been patched.

      And of course, even though I am neither a "Linux hater," nor a "Windows Fanboi" by any stretch of the imagination, I will be accused of such simply for pointing out how foolish you Linux Dorks make yourselves look with your endless claims that Linux can't possibly attacked under any circumstances, and your constant denial of the fact that Linux can, and does have security flaws that simply haven't been discovered yet. Clearly, the flaws that were reported in Ryan's article existed for sometime before they were patched. Just because they weren't discovered until recently doesn't mean they didn't exist. Just because no one bother to use these flaws to launch an attack on an OS that no one uses doesn't mean it was not possible to do. But of course, I know that I am going way over your head with big words and complicated concepts, so I know what I am saying will not make sense to you.

      Oh well, your endless stupidity does make for some very entertaining reading, so keep up the good work!

      Rick
      rick@...
      • RE: WebKit security holes haunt Ubuntu

        @rick@...
        Guessing you're a windows fanboy then. Just for future reference, you might not want to claim Loverock as a source of anything other than amusement.

        Also, when claiming you're not a linux hater, it helps if you don't call others "linux dorks". I'm a Linux user. I gladly call myself a nerd but I will not allow you to continue your ignorance and call me a dork.

        I've never seen a valid post (i.e. a post not pointed out by other linux users) claiming that Linux is 100% impervious to attack. I have, however, seen plenty of posts claiming Apple is impervious and quite a few extremely ignorant posts claiming Windows to now be very much impervious, until the next patch tuesday when several arbitrary code execution vulnerabilities are exposed.
        tmsbrdrs
      • RE: WebKit security holes haunt Ubuntu

        @tmsbrdrs Interesting that you read a post directed towards Linux Geek and assumed it was directed towards all Linux users, including yourself. I'm sorry that you cannot tell the difference between a normal person who happens to use Linux, compared to someone like Linux Geek, who constantly spews nonsense about the holy wonders of Linux and the horrible evils of Windows.

        Ok, Windows happens to work for me. I also happen to drive a Ford truck. And I like Pepsi better than Coke. So what. Those are my preference. Your preferences may be different. The great thing about the world we live in is that we all have many options to choose from. You can use the OS you prefer, and I can use the OS I prefer. You can drive the vehicle you prefer, and I can drive the one that I prefer.

        The "Linux Dork" is someone like Linux Geek, Or DTS Your Linux Advocate. The "Linux Dork" is one who has nothing better to do with his life but spend all day posting stupid crap about how wonderful Linux is, while at the same time making up all kinds of absurd claims about how horrible Windows is.

        The only reason I mentioned Loverock Davidson was to point out how Linux Geek is doing the exact same thing here (claiming that this Linux flaw is a "non-issue" because it has been patched) as LD does all the time when he claims that Windows flaws are "non-issues" once they have been patched. I did not claim him as a source of anything. But perhaps in your haste to attack me for being critical of a certain Linux Dork, you overlooked that fact.

        Obviously, what it comes down to is that there is a huge double standard here, where every Windows flaw that has ever existed still "counts" against Windows, regardless if it has been patched or not. On the other hand, it is "spreading FUD" to talk about a Linux flaw after it has been patched. It is exactly these double standards that all Linux Dorks depend on to convince themselves of the fantasy they want to believe in. And yes, Mac Fanbois depend on similar double standards in order to support the fantasy world they live in.

        Anyone who claims any of the major OSes in the world are impervious to attack is a fool. A modern OS is way too complex to ever be 100% foolproof. As I pointed out in my first post, the reality of it is that the Linux flaws addressed in this article existed in Linux before they were discovered. Just because they hadn't been discovered doesn't mean they did not exist. In the same way, I can guarantee that Linux has still more flaws that have yet to be discovered, but none the less, they do exist. The same is true for Windows, Mac OS, AIX, Solaris, z/OS, and any other OS you can think of.

        Whether you want to admit it or not, the reality of the world is that Windows is the most popular OS on the planet. More people use Windows than any other OS. More people know how to write code for Windows. More people understand the inner workings of Windows. More people are interested in hacking into Windows. More people are writing malware for Windows. And, at the end of the day, the bottom line is that more people are going to discover more flaws in Windows than any other OS. You can pretend all you want that the reason Windows gets attacked more is because it is less secure, but that is like me pretending my house is more secure than a bank, because, after all, the bank in my neighborhood has been robbed at least 3 or 4 times in the 20 years I've lived here, while my house has never been robbed once.

        So, pretend all you want. Enjoy the fantasy land you live in. Meanwhile, the rest of us will face reality and deal with facts.

        Rick
        rick@...
        • RE: WebKit security holes haunt Ubuntu

          +10 to you Rick.
          DarienHawk67
        • Three Points

          The first is that, unless this was code that Canonical added to WebKit, it was WebKit's problem, not Ubuntu, or, put another way, WebKit problems would be the problems of users of Safari, Chrome, and KHTML.

          Second, but not very important, do most developers know how to develop for Windows? I've tended to avoid Windows because the best tools are too expensive and I'm a one-person bespoke developer. I have done some Windows apps, but I used java and .net. The former because I could reasonably do cross-platform code (and my coding platform is OS X) and the latter because java is not a trivial assumption, has security issues, and .net is on every modern Windows box and is similar enough to java that OOP MVC architecture is easily achieved. So, I "know" Windows development because I know java development, but, I know that real Windows development involves jumping into C++, C environments and, possibly, assembly and requires a deep understanding of os apis. (Note, the same is true of OS X or *nix development, i.e., deep understanding of the system apis and libraries.) Now, what do we use to figure out the languages being used out there? Job listings, but that is an indicator of what languages are to be used in the near future. A lot of programming is maintenance of legacy code. How does one fit html, php, SQL, javascript, and css into the picture? But, if one can make a functioning webpage which displays in IE, then does one know how to program for Windows? But, whether most people know how to program for Windows or not, this is not a serious challenge to your basic points. It is not a support buttress to your argument.

          Third, security differentials for operating systems is the most ephemeral of advantages. Plus, most of us get infected not through clever hacks, but by temptation with the devil's candy. There can be systems to help save us from ourselves, such as warnings saying "Malicious Website" before it loads, but ultimately these rely on some small time period of risk. Besides the most secure operating system will be the least easy to use. And, if we've spent a thousand dollars over the last decade acquiring and updating the applications we like on the machine that runs them well, we are not likely to throw everything out, source and deploy replacements, and enjoy our inefficiency as we ride a learning curve because some folks got burned by something that infested our platform of choice and some partisan on the internet tells us we are in perdition and they are in paradise. Besides, tomorrow, the cracking community may find a new, more cost-effective approach to doing damage, and now this platform is inadvertently "more secure" and this other platform is now "wide open."

          As I said, I use OS X and I don't consider myself more secure for doing so, plus, the weakest link in my security chain is me.
          DannyO_0x98
      • RE: WebKit security holes haunt Ubuntu

        @rick@...
        Maybe you should reread my reply.

        I was actually responding to your own comments. For example, the very phrase "linux dorks" is just wrong. We're geeks, we're nerds, we're not dorks.
        Your use of Loverock as a source, as another example, shows your ignorance of these forums in general. Loverock tends to make the most asinine comments about Linux and claims that Windows is so much more secure. Truth is, I've had to fix, troubleshoot and simply live with the inherent insecurities of the current batch of Windows systems for as long as I can remember. That's the main reason I switched over to Linux in the first place.

        When you respond specifically to another user, that's one thing. When you make comments which take linux users in general into account, that's another and yes, I'll respond to them to point out your general lack of respect for us "ordinary linux users". Just a hint, the majority of us are what you attempted to call "linux dorks".
        tmsbrdrs