Zero-Days Hitting Fedora and Ubuntu Open Desktops To a World of Hurt (arstechnica.com) 164
An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."
That's why they're called BAD (Score:5, Insightful)
Re: (Score:3)
Re: (Score:3)
And how many people have this either installed or can be made to install this?
~5 years ago, when I cared about making sure I installed all the media codecs, I installed the GStreamer Bad plugins. Only reason I don't install it now is because things work fine without it?
What would happen if someone downloaded and tried to play one of these files now (thinking they were downloading a Taylor Swift .mp3 off of Pirate Bay)? Would the OS offer to download GStreamer Bad plugin? If it did, how many users would e
WRONG! (Score:4, Informative)
https://scarybeastsecurity.blogspot.pt/2016/11/0day-exploit-advancing-exploitation.html
"A powerful heap corruption vulnerability exists in the gstreamer decoder for the FLIC file format. Presented here is an 0day exploit for this vulnerability.
This decoder is generally present in the default install of modern Linux desktops, including Ubuntu 16.04 and Fedora 24. Gstreamer classifies its decoders as “good”, “bad” or “ugly”. Despite being quite buggy, and not being a format at all necessary on a modern desktop, the FLIC decoder is classified as “good”, almost guaranteeing its presence in default Linux installs."
confirmation here:
https://bugzilla.redhat.com/show_bug.cgi?id=1397441
gstreamer-plugins-good: Heap buffer overflow in FLIC decoder
Sheesh, I thought you guys (the parent post and the ones who upvoted) were geeks and into factual information! Oh right, this is slashdot...
Re:That's why they're called BAD (Score:5, Informative)
Re:That's why they're called BAD (Score:5, Informative)
Re:That's why they're called BAD (Score:5, Informative)
Can't speak for Mint, but in Ubuntu, during the install the install process you are given an option to install "3rd party software for graphics, wi-fi, flash, MP3 and other media". What this does, essentially, is mark ubuntu-restricted-addons for installation, which, among other things, brings the "bad" and "ugly" gstreamer plugins.
Many people are going to select this option, since it brings much needed functionality with it. In particular, a less knowledgeable user will probably look at that option and think that maybe it is a good idea to install that.
Now consider that Ubuntu is the most popular distro, and the one that tends to be suggested to new users. This means that it is VERY likely that many users have this package installed. Which makes it a much bigger problem than what "some people" are suggesting on this thread.
Re: (Score:1)
It's like downloading suspect code from Github that probably works fine, but could leave you open to vulnerabilities, i.e. not an operating system level issue. It's unfair to say it's a vulnerability in "linux". It's more appropriate to say it's an issue in software for linux.
Re: (Score:2)
Re: (Score:2)
What's that have to do with anything? If you're sending a file with a codec that doesn't match the extension, there should be a warning/error. If it's named .spc, fine - use the SPC codec to play it. If it's named .mp3, use the MP3 playback codec or nothing - don't search for magic bytes or try it out with every codec on the system.
This is great work. (Score:5, Insightful)
Still... that shows why security has to be half education and half technology. The last one, which was especially bad because a drive-by, combined Chrome ("I download by default to ~/Downloads"), stupid Desktop behavior ("I index everything I see -- oh, shiny! a media file: I'll throw that over to gstreamer") and gstreamer... see TFA.
The users expecting the system to "do everything automatically" is no different than Windows of yore running AUTORUN.INF whenever you inserted a removable medium. If there is no pushback on that front there won't be a secure system, ever [1]
[1] secure for the user, that is. If your definition of "secure" is "secure for some collusion of hardware vendor, software vendor, media companies, advertising cartels, search engines and state agencies, then perhaps.
Re: (Score:1)
We're talking about a buffer overflow attack that could have been easily prevented by using a sane implementation language or some static security checking tool. That's a technical issue, not based on user behavior.
Executable code as music data (Score:2)
Remember Windows Metafile? That was a picture format that consisted of executable code (poor man's pdf or ps for Windows 3.0) and ended up being abused.
Here, a whole frigging computer is emulated and the SPC file is just raw machine code for its CPU, so that you can e.g. listen to Street Fighter II music in your winamp clone. Depending on your player perhaps, you even get a track of infinite/unknown length and the music loops indefinitely.
I find it funny and it reminds me more about the entirely banal stori
Re: (Score:2)
And yes, that depth *always* should include the user. Because our aim should be to make ourselves smarter, not dumber.
By all means, aim high. Just know that where users (in general) are involved, that arrow is going to fall much lower then expected.
Re: (Score:3)
stupid Desktop behavior ("I index everything I see -- oh, shiny! a media file: I'll throw that over to gstreamer")
The real issue here is that the indexer plugins don't run in an unprivileged sandbox. An indexer should have the rights to read the file that it's indexing, to write the metadata back via IPC to the parent process, and nothing else. It's insane that anyone would create a system that runs on untrusted data without any kind of privilege separation.
Re: (Score:2)
Re: (Score:2, Interesting)
> It's called "usability"; having computers do useful things for us automatically is what makes them so useful
All generalizations suck.
You are falling into the trap "doing things automatically is a good thing" == "doing everything automatically is a good thing".
As always, it's a matter of judgement; there isn't a clear bright line and the (muddy) line shifts and moves as exploits evolve.
Extreme examples (the autorun one) help having a clearer vision. My point is that taking away decision points from the
Re: (Score:3)
It's called "usability"; having computers do useful things for us automatically is what makes them so useful.
True! You won't mind if we reconfigure your email client to automatically launch attachments, right? It'll be really useful!
Re: This is great work. (Score:1)
It can if you are both smart enough to do it and dumb enough to try it.
Web browser virtualization (Score:2)
Re:Web browser virtualization (Score:4, Interesting)
actually it's the only way to be fully protected against local root (kernel/system daemons) vulnerabilities, keyloggers, data theft, etc.
I'm not entirely sure about the scope of what you're claiming here, but know that virtual machine escapes aren't uncommon. I'm not saying that virtualizing the browser is a bad idea (defense in depth and all that), but it won't get you perfect security. Also, in some cases, it's possible to attack the host OS without leaving the VM. Then there's the sensitive information within the VM (user credentials, session cookies, etc.), which doesn't require an escape.
Re: (Score:2)
For my entire life I've heard of maybe 10 cases of exploits which actually allowed to escape VM while at the same time each popular web browser (IE, Firefox, Chrome, Opera, Safari) has already had at least 300 remotely exploitable vulnerabilities (close to 1500 vulnerabilities overall).
Which means that when you're running your web browser in a VM you decrease your chances of being p0wned by at least two orders of magnitude. Also, since most attacks nowa
Re: (Score:2)
For my entire life I've heard of maybe 10 cases of exploits which actually allowed to escape VM while at the same time each popular web browser (IE, Firefox, Chrome, Opera, Safari) has already had at least 300 remotely exploitable vulnerabilities (close to 1500 vulnerabilities overall).
Which means that when you're running your web browser in a VM you decrease your chances of being p0wned by at least two orders of magnitude. Also, since most attacks nowadays are carried out automatically, those attacks will stop at your VM because the exploit kit will not try to break out of VM since 99.999% of users out there don't bother virtualizing their browser and also there are ways to conceal your VM.
Heres an idea.
What if you could craft the audio signal so that it exploits the audio output software/drivers in the host when played from a guest VM?
Ie you have the guest VM hooked up to output its audio through the host, not uncommon in desktop virtualisation. And its the specially crafted audio signal which carries the exploit not the specially crafted file.
Re: (Score:2)
And its the specially crafted audio signal which carries the exploit
Kind of hard to have a buffer overflow in the audio signal when the entire bit space is available for audio. So then what's left? A pulsed signal, that when it hits the DAC creates RF interference that then induces current somewhere else on a chip?
I know, you can read keystrokes from 2 rooms away by pointing an antenna at a keyboard, but I can't even imagine how you do an exploit with an audio waveform.
Re: (Score:2)
Why would a keylogger need to break out of the VM to be useful? It can just log the keys on that side and be perfectly happy with what it gets.
Virtualization is not security (Score:1)
All you are going to get out of that messing about is a feeling a smugness and immunity from script kiddies who are not even trying hard.
You could try doing something actually designed for security, such as simply running the web browser as a user other than the one that owns all the files you want to keep - so a unique user for the web browser. Jails and containers/zones help too because they are des
Re: (Score:1)
Check out 'firejail' on Linux.
I use it to route specific programs through different network interfaces, and often use it for youtube in firefox with no issues.
From the manual;
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared
Re: Web browser virtualization (Score:1)
It sound like you really want qubes os, where everything is sandboxed off into security zones you define.
Not really anything new (Score:4, Informative)
The idea that Linux might or does have security vulnerabilities is not anything remotely new. I sometimes file five bug reports a day on patches for things like this dealing with Debian, Rosa, Mageia, Fedora, and Suse. I just file the bugs, its up to the Distro Maintainers to read what I post and act on them. Sometimes they mark it as invalid, a Duplicate, already fixed, or Works for me.
Other times I get a patched, or upgraded package in 24-48 hours.
If you see a CVE of something, post it to your relevant bugzilla, and not just one, always provide the CVE and a URL to where you got the CVE From if at all possible. Don't stick your head in the sand and say its not your problem. Keep in mind the world we live in today.
Re: (Score:3)
Re: (Score:2)
zero day? (Score:3)
Re: (Score:2)
Right, it was a 0-day when it was released... a month ago:
https://scarybeastsecurity.blo... [blogspot.com]
My Debian stable machine is safe, I'm missing that file, don't use chrome, don't use gnome file managers that attempt to preview music files. Yes 0-days are bad and can happen in Linux environments as well as any other, but there's still the lack of monoculture in Linux. Show me a windows machine that doesn't have IE installed.
Sensationalist fearmongering and attention whoring (Score:2)
'Zero day'. 'world of hurt'.
Look everyone I found a bug! Look at me! All your machines can be mine if you just install this normally not installed software, then visit this here website!
Just file the bug and let them fix it, till then just stfu.
Re: (Score:2)
As has already been addressed multiple times above, the package involved is installed by default in the listed distros and more.
Just file the bug and let them fix it, till then just stfu.
How about you RTFM and understand what you're talking about, till then hush little child. Consider that the sensational title is intended to get attention on an actual threat, and past the willful ignorance of persons such as yourself.
Re: (Score:2)
Sorry, but I totally agree with the original post. The title is "Ubuntu 0day world of hurt". The reality is "Ubuntu12.04, no privilege escalation". That is not a serious issue, and even the author acknowledges it, so please hush big boy.
The main users of ubuntu 12.04 are mostly servers (so not likely to be affected) and the EOL is near anyway.
Re: (Score:2)
Sorry, but I totally agree with the original post. The title is "Ubuntu 0day world of hurt". The reality is "Ubuntu12.04, no privilege escalation". That is not a serious issue, and even the author acknowledges it, so please hush big boy.
The Author said: "I like to prove that vulnerabilities are not just theoretical—that they are actually exploitable to cause real problems,"
Care to share what you're basing your perspective off of? Mr Evan's actual detail *is* a long read and I fully admit I grazed it and may have missed something.
The main users of ubuntu 12.04 are mostly servers (so not likely to be affected) and the EOL is near anyway.
I'm going to presume you meant Ubuntu 16.04, and note that you're nitpicking on one of the two distributions highlighted. Regardless of the user spread between server and desktop (that was also noted in the
Re: (Score:2)
Why would you draw public attention to an exploit? You report it to the software authors and give them time. Anything else is completely irresponsible.
Sure, maybe go all sensational when the software authors refuse to listen to you for several months, and machines are falling left and right, however this doesn't look to be the case. They are never given a chance before public announcement. And at least on my Fedora 23, game-music-emu is NOT installed by default.
Script Kiddie exploits game library - news at 11 (Score:1)
Re: (Score:2)
Every anti-Linux clickbait article is the same (Score:2)
Why do I say this? Because every time some very minor Linux vulnerability crops up -- usually ones that have not actually affected anybody (the exceptions being Heartbleed and Shellshock) -- there's some ultra-clickbaity article about how the entire Linux world is getting pwned simultaneously. Thankfully some comments showing why this is total nonsense are upvoted, b
Re: (Score:2)
Re: (Score:2)
Hoarders (Score:3)
How did these distributions get to the state where they include 80s CPU emulator by default? For users with decent Internet connection, base install should be something like ChromeOS, with only video/audio codecs widely used at present. Then have an easy way to install extra stuff as needed. It's not only for security, stability, memory/storage use and performance is also affected by having a boatload of crap installed by default. And don't forget the amount/frequency of high priority updates.
Impact? (Score:2)
I glossed very quickly over the article so maybe I missed it. What is the actual *impact* of this? Privilege escalation? Crash the OS?
Just because an exploit is found doesn't necessarily mean it's a significant concern unless you can do something nasty with it.
Bad, but no zero days (Score:2)
Zero day means, that they are used to exploit people in the wild, not that there exists an proof of concept.
Re: (Score:3)
Re: (Score:2)
What if they are used as a music server?
I think both server admins using Linux that way know about this flaw...
Re: (Score:3)
What if it's not just some server? It could easily be kodi and emulation station...
Re: Play Audio on Linux? (Score:1)
No sound drivers on your systems? Are you sure?
I distinctly remeber many times installing software that had nothing to do with sound having a bunch of audio dependencies.
That's one of my criticisms of FOSS developers, they can be a bit crazy with their dependencies.
Re: (Score:3)
A big reason for that is that most distros are designed around a minimalist base install. Anything beyond that is pulled in through comprehensive dependencies in packages. Sometimes packages do list dependencies that aren't actually necessary on the principle that an unnecessary dependency results in a working system but a missing one leaves things broken. You'll see that most frequently in GUI/desktop oriented packages.
It's a harder problem still if the software dynamically loads libraries as needed. Stric
Re: (Score:1)
If you used Gentoo, this wouldn't be a problem. Crazy deps are an issue distros like Ubuntu, Windows, and Ubuntu on Windows have. Windows on Ubuntu may also have the same issues. Also systemd. And NetworkManager. And PulseAudio. And Windows 10 that apparently is attempting feature compatibility with NetworkManager's ability to completely hose networking.
In fact, just avoid anything that has deps on Poettering-ware.
Re: (Score:1)
You forgot Avahi.
Re: (Score:2)
> If you used Gentoo, this wouldn't be a problem.
Wrong. I do use Gentoo. Yes, you can create a stripped-down text-console-only install that allows you to
echo "Hello World"
from the bash prompt. And if you're only running a scientific number-cruncher program that reads a text data file and spits out calculations as text, it's great.
But try an app like Gnumeric, which is/was a great spreadsheet. I use Gentoo, and I carefully watch what gets pulled in. Over the years, Gnumeric has picked up *HARD-CODED* dir
Re: (Score:1)
I can appreciate this concern, but yes, this is something that is easy to be sure of if you're vaguely experienced with Linux.
Re: Play Audio on Linux? (Score:5, Insightful)
> That's one of my criticisms of FOSS developers, they can be a bit crazy with their dependencies.
You know that because you can see them.
My day job involves creating itemized lists of dependencies for a very large project. I can assure you that both open- and closed-source software is horrible, though I do have to admit that open-source tends to be a bit worse on the unexpected-dependency front, for a few reasons.
In closed software, there is a lot of effort spent recreating common elements. I cringed when I found a file named "sort.dll", but it's probably exactly what it looks like: A developer didn't want to depend on outside code, so they wrote a sorting function as a library. Without an audit like mine, nobody would ever notice the silly practice of rewriting what's probably built into their language, and readily available in other third-party libraries.
Open-source software, then, is more transparent. If a FOSS project reimplements a sort, it will eventually be discovered and mocked until it uses the third-party library. This is fine, as it also reduces the complexity and size of the FOSS project. However, it does then lead to a bit of shock to see that the "widget" package depends on 53 other packages including "libfoo", "libbar-dev", "libbaz-ng-perl-1.03-sparc", and so on. Compounding that, it's also trivial for the FOSS project to actually use that library, because the library itself is likely FOSS, with a compatible license. Even if all your project needs is a single function, there's no cost to depend on an entire library... and a different one for a different small part, and so on.
The tendency to include a long list of dependencies makes my job worse for FOSS, because I can't just shrug my shoulders and give up after listing the one software package without any named dependencies. On the whole, however, it does ultimately lead to a smaller (and more traceable, and higher-quality) codebase for a final system, which is why the hardware requirements for a FOSS system tend to be much lower than an equivalent system based on closed-source packages.
Re: (Score:3)
Without an audit like mine, nobody would ever notice the silly practice of rewriting what's probably built into their language, and readily available in other third-party libraries.
Have you not considered the possibility that the developer wanted different runtime guarantees than the standard library sort provided?
There are very good reasons to use something other than the bog standard quicksort with a heap sort fallback (aka introsort) in a lot of scenarios, be they server services or even games.
No, I didnt think so, nor did you find out why the programmer did include his or her own sort, as evidenced by you stating assumptions about it.
For either games or server services, tha
Re: Play Audio on Linux? (Score:4, Informative)
Have you not considered the possibility that the developer wanted different runtime guarantees than the standard library sort provided?
Yes, I have, and find it extremely unlikely that the programmer had any idea what he was doing. Mostly that analysis comes from the knowledge that the particular software package was an interface for a low-speed IO device, and could have probably have performed just fine if it relied on a bubble sort. Then again, I've also worked with the programmer responsible for that particular package, and it wouldn't surprise me to find that he had actually written his own bubble sort...
There are very good reasons to use something other than the bog standard quicksort with a heap sort fallback (aka introsort) in a lot of scenarios, be they server services or even games.
That's not really disputed, but there are third-party libraries that provide many sorting options, without having to write (and debug, and maintain) it yourself. If you have a very good reason to use a particular algorithm, find a library that provides it.
For either games or server services, that standard library introsort would never be used if I was head of the development team. No chance in hell does it perform better than radix sort (for game scenarios) or has the best possible worst case runtime (for server services.) Its a complete no-no to use it.
It sounds like you don't really know much about data processing scenarios. I once had a mentor who said something to the effect of "If you're thinking about your sorting, you're doing something wrong". The reality is that except for the most demanding applications (like rendering on the GPU), the programmer shouldn't need to think about what sorting algorithm is being used. Rather, the programmer's primary concern should be writing clean and maintainable software, and leave the exact implementation to someone else, who only needs to write according to an API specification. If that spec includes performance targets, then it will require particular algorithms. Otherwise, anything reasonably efficient will do the job, and it becomes a point of testing to compare different libraries for required functionality.
For example, let's consider the high-speed sorting used to render a 3D game world. The game programmer just needs to build the world in the game engine, and the engine will handle the sorting. The engine programmer only needs to worry about getting the data from the game library to the renderer, and the renderer will handle the sorting. The render engine programmer finally has to think about sorting algorithms... but his choices are driven primarily by the data structures present and the hardware optimization available, which may drastically change the run times of algorithms. With the appropriate hardware available, the render engine may pass off sorting to the GPU, using some of the SIMD processing capability to (for example) run a Batcher sort, rather than a radix sort on the CPU. I am told that's actually what nVidia's "game-ready" drivers do: They forcibly replace a game's poorly-optimized code with equivalents that use nVidia's hardware more effectively.
On the server side, I will refer to another aphorism: "Premature optimization is the root of all evil". If using a custom sorting method means moving data around outside of your database, you're not going to get a performance improvement. If you're concerned about worst-case performance because you might see it in real use, you should be thinking about security, not performance. If you're optimizing the application to improve user load performance, it's usually cheaper to just buy more hardware and run more back-end servers. In short, sorting is rarely the most effective target for optimization, so it's generally not worth the cost to improve, when efforts could be focused elsewhere.
Re: (Score:2)
OR........
It could have been a wrapper around the default sort algorithm that made it easier to call.....something that was more aware of the applications data structures and how to interpret them so that the default sort algorithm would work properly. Many built in sort algorithms work on primitives and built in aggregates (array, list, etc.) but if the application has some other construct, you'd want to make that call as generic as possible so that you don't have to repeat that code everywhere.
Just becau
Re: (Score:2)
If only there were a way to define a generic way to tell if two "things".... let's call them "objects".. relate to each other when doing sorting. Then, for each "object", you could compare it to another "object" and see if it is less than, greater than, or equal to the other.
I know, we can make a generic "function" of an "object", and call it.... "less". If you're in a sane language (sorry, Java), you could even use the "<" symbol to compare two "objects". Then, any sort algorithm can use this functio
Re: (Score:3)
If sorting is occurring in a performance-critical part of your code, that's probably a good idea.
But it's also hard to deny that a lot of developers will write their own sorts, etc. based on an imagined need that isn't actually there, and likely introduce needless bugs and quite possibly performance losses into their program as a result. Because let's face it - it's seriously nontrivial to write a bug-free sorting library that can outperform the optimized quicksort (or whatever) that's probably included in
Re: Play Audio on Linux? (Score:4, Informative)
In some cases, a complete sort isn't needed either, just a pigeonholing routine with adjustable bucket sizes. Using a full sort routine can then be very much slower than needed.
But what the GP post alluded at is that the interdependencies of 3rd party libraries can be humongous. It may be easy to "just" link with a library that provides a small routine, but when that in turn pulls in 10 other libraries, which in turn pull in 20 more, it becomes both a dependency nightmare and bad bloat. .a, even if it means you have to recompile your code to fix security holes instead of automatically get it with a library. .so, at least you won't have to rebuild all, but just that ,so
So in some cases, it pays off to write your own equivalent or link with an
If you single it out in your own
Re: (Score:2)
I agree with you on the dependency-minimization issues. But as I read it, that has nothing to do with the post I actually replied to, nor to the particular aspect of the GPs post they were addressing.
Re: (Score:2, Insightful)
still smug I fear, he didn't install the bad plugins...
Re: (Score:1)
he was in russia
and the bad plugins didn't installed him for some reason
Re: (Score:2)
still smug I fear, he didn't install the bad plugins...
Or use Chrome..
Or GNOME
All three are required for the exploit
Re:So where's that smug Linux dude? (Score:4, Informative)
I wonder what he'd have to say to Chris Evans.
That this is a bit disingenuous: the statement "GStreamer, a media framework that by default ships with many mainstream Linux distributions" is true, but the mentioned exploit does not requires just GStreamer, but a plugin from the "Bad" set, which is usually not installed by default in Linux distros.
Re:So where's that smug Linux dude? (Score:4, Informative)
"usually not installed by default in Linux distros" Really?
The Vanilla Ubuntu 16.04.1 desktop image I have at hand shows that it they are installed by default:
ubuntu@ubuntu16:~$ dpkg --get-selections | grep gstreamer | grep bad
gstreamer1.0-plugins-bad:amd64 install
gstreamer1.0-plugins-bad-faad:amd64 install
gstreamer1.0-plugins-bad-videoparsers:amd64 install
libgstreamer-plugins-bad1.0-0:amd64 install
Re:So where's that smug Linux dude? (Score:5, Informative)
Re: (Score:3)
Good catch! I did indeed install the restricted addons but unless I'm mistaken, thats because the installer prompts that they are needed to have the MP3 decoder.
Re: (Score:2)
Good catch! I did indeed install the restricted addons but unless I'm mistaken, thats because the installer prompts that they are needed to have the MP3 decoder.
That seems to be the case [wikipedia.org]:
"Ubuntu Restricted Extras is a software package for the computer operating system Ubuntu that allows the user to install essential software which is not already included due to legal or copyright reasons. It is a meta-package that installs: Support for MP3 and unencrypted DVD playback. Microsoft TrueType core fonts."
And ubuntu-restricted-extras [ubuntu.com] depends on ubuntu-restricted-addons as well as recommending gstreamer0.10-plugins-bad-multiverse.
Re: (Score:3)
"usually not installed by default in Linux distros" Really?
The Vanilla Ubuntu 16.04.1 desktop image I have at hand shows that it they are installed by default:
Did you check that box during install to install additional codecs that is unchecked by default?
Re: (Score:2)
Re: (Score:2)
Because how long do you think this will take to get patched on Linux vs Windows. An obscure library that may not be installed by default. I haven't checked, but I'd guess the package has already been updated.
MS on the other hand, first needs to decide that this obscure vulnerability is something to be worried about. If it's an optional feature, then they probably won't worry. And even if they do, will they release an immediate update, or will it go through a lengthy testing process and be left pending u
Re:So where's that smug Linux dude? (Score:4, Informative)
Re: (Score:2)
The impression I got from his comment was that he was more about the update problems. and sneering at Windows users in general.
I agree totally about Win10 being Big Brother's wet dream made real. I have no plans to use it, and as much as anything else, it's the philosophy behind it. Whatever privacy leaks you fix, you can be confident MSoft will be working hard to find ways around your fixes. Their philosophy is that what you want as a user is less important than what they want to get out of monetizing y
Re: (Score:2)
Yeah, I finally upgraded my gaming machine from win7 for the newer direct3d libraries, but only after having resigned myself to the fact that most of the worst Orwellian aspects had been backported to 7 anyway.
I have to say though that, despite all the grief it gets, I actually like the new start menu better. *F* the live tiles, but you can use the same space to create a "desktop" of neatly organized shortcuts, leaving your actual desktop as a workspace for the data files that inevitably accumulate anyway.
Re: (Score:2)
All good points.
I think I've got 7 locked down pretty well, and I think it will stay that way as long as I'm reasonably vigilant. I don't know if I could be so sure about 10.
Re: (Score:2)
Oh, look...some bumhurt Linux creep modded me down for simply reporting on the actions of another Linux creep.
Linux could have been the OS of choice if it hadn't been bogged down by so many a-holes.
Re: Super safe Linux (Score:3)
Re: (Score:2)
A reboot on linux IS necessary for most updates to be effective. Linux uses a reference counting system for the files and this allows it to update the files while other programs are using them. However, any program still running is also using the original (insecure) version of the file. If you have a flaw in gtk for instance you would have to restart the GUI to actually fix it.
I have had to deal with servers before that where broken into that had a patch applied but program was still running and so the orig
Re: Super safe Linux (Score:2)
Re: (Score:2)
Re: (Score:2)
On a server, you can get away with it for a much longer time. On a desktop, you're running so many varied programs that memory leaks are inevitable and a reboot is really nice. Once a month or once every 2 months is probably enough, but twice a year is the absolute minimum.
Re: (Score:2)
On a server you can get away with it for longer but if you had a libc update then that means restarting pretty much everything anyways. I ran into a system with an openssl update and something had not been restarted that was a long running process and they where exploited through it.
If a library is updated you CAN restart everything that uses that library one by one. However, if you miss even one program that can become a security problem you are not aware of. That is why it is generally better to just have
Re: (Score:2)
Is that really so? I've always heard that many or most of Linux users never reboot their systems and I felt like a noob for doing so.
Outside of a basically a kernel or glibc update, you don't need to reboot your system to make anything "take effect" unless you're using Linux on the Desktop, and why in God's name would you do something like that? You should, however, pay attention to security updates and make friends with 'lsof' for the most critical libraries. There's a yum plugin that can help identify things that might need to be bounced following an update, but it's not automatic by default because that's really something that an admi
Re: (Score:2)
Even something like an openssl update can impact more than you would remember and missing just one long running program can leave you screwed. You could try to keep track of each library and dependency and you better not make a single mistake.
It is just much easier and safer to reboot and check. Sure you can't do that in all situations but for most machines rebooting is quite fast before all services are up and running again. Why take a risk you don't need to take?
Re: (Score:2)
(...) unless you're using Linux on the Desktop, and why in God's name would you do something like that?
Better answer now: I don't use any especial application and own a game console.
Re: (Score:2)
(...) unless you're using Linux on the Desktop, and why in God's name would you do something like that?
MacOS sucks in security and Windows 10 is a resources hog.
Re: Super safe Linux (Score:2)
Re: (Score:2)
the only thing that really needs a reboot is the kernel
Or any libraries linked into very-long-running services, such as the copy of libc used by your desktop environment or inter-process communication daemon (such as D-Bus or IBus). Restarting those would bring so much down that it'd be as much of an interruption to desktop use as a reboot.
Re: (Score:2)
Restarting them yourself is likely to be more disruptive than a reboot. When you do a reboot the system is running pre-written scripts however fast it can execute them. If you run commands yourself to do all of this then it will happen at the speed you can type stuff in. The reboot process is likely to be FAR faster and won't miss anything.
Re: Super safe Linux (Score:4, Funny)
You're retarded.
Dude!
Differently abled!
Re: (Score:2)
Re: (Score:2)
Well, if you were in WIN10 you'd already be home! Or, just wait for Linux to patch his fuckup, that somehow is your fault!
I am using WIN10. I'm still waiting for the patch to fix my DHCP that the last patch broke. It's too bad that I have no networking now so my wait for that patch might be a long one.
Re: Doesn't give root access (Score:2)
Re: (Score:2)
#1 wasn't even true in XP. You could create a standard user, but it was just a huge pain to use one. Above XP, UAC stops most exploits from taking over the system.
Re: (Score:2)
It's a SNES vulnerability?
Easily fixed: up up down down left right left right b a select
Re: (Score:2)
It seems (one of) the underlying libraries got patched 2 days ago.
https://bitbucket.org/mpyne/game-music-emu/wiki/Home
I won't agree on the "free vs proprietary", but it is awesome that the people behind that project responded that quickly.
Re: (Score:2)