Re: Browser security under Linux
- From: Mark Shroyer <usenet-mail@xxxxxxxxxxxxxxx>
- Date: Mon, 16 Jul 2007 02:52:56 +0000 (UTC)
On 2007-07-16, Geico Caveman <spammers-go-here@xxxxxxxxxxxx> wrote:
Mark Shroyer wrote:
In fact, as much as I loathe IE, I have to admit that Internet
Explorer 7 on Windows Vista has a distinct advantage in protecting
the user against an attacker gaining _write_ access to his
filesystem: IE 7 on Vista runs as a low-integrity process, prevented
by the operating system from gaining write access to anything
outside of the Temporary Internet Files directory and the user's IE
profile. Firefox on Linux currently offers no such added layer of
protection.
And no browser on Linux can write to any file / directory for which the user
running that browser does not have write permissions.
Which includes the user's home directory. Most end users would
consider that the most valuable part of the filesystem.
What you write above matters for Windows because you end up running, from a
useability standpoint, everything in Windows effectively as root. Something
that is neither necessary or even encouraged in Linux.
That used to be true. In Vista (and even, to an extent, in XP) it
is absolutely not necessary to perform day-to-day activities with
administrator privileges. Furthermore, even if you are logged into
Vista with an administrator class account, you and your applications
cannot actually utilize administrative privileges without going
through UAC first.
The point is that Linux, great operating system that it is, is no
magic bullet.
I agree with that totally. I just take an exception to the example you
presented. I mean what is next ? Linux is less secure because it does not
have a lot of anti-virus tools ?
My point was that Linux users should not be complacent about web
browser security on account of the fact that their operating system
has a reputation for security; my example to this effect was that
Vista does a better job sandboxing its built-in web browser than
current Linux distributions do. Do you disagree?
A totally secure operating system is an ideal case that does not exist.
However, there is a great deal of daylight between the mud patched security
model that Windows has been struggling with ever since it started, and
networked from the beginning, secure by operation model that Linux and Unix
like OS'es have.
Linux and other Unix-like operating systems used to have security
worlds ahead of Windows. For security's sake, I'd still take RHEL
or OpenBSD over Windows any day.
What worries me is that people seem so blinded by Windows's past
failings that they refuse to recognize the real progress that
Microsoft has made. Vista provides compile- and run-time protection
against stack smashing and heap overflows the likes of which are
only really available in Red Hat's offerings (and Gentoo,
optionally); it also gives its users OpenBSD-inspired address space
layout randomization for an extra layer of protection should a
buffer overflow actually succeed. Windows security is hardly the
nightmare it used to be, which makes it that much more ridiculous
for Linux users to be complacent by comparison.
--
Mark Shroyer
http://markshroyer.com/
.
- References:
- Browser security under Linux
- From: blackboab
- Re: Browser security under Linux
- From: Mark Shroyer
- Re: Browser security under Linux
- From: Geico Caveman
- Browser security under Linux
- Prev by Date: Re: something fishy
- Next by Date: Re: Browser security under Linux
- Previous by thread: Re: Browser security under Linux
- Next by thread: Re: Browser security under Linux
- Index(es):
Relevant Pages
|
