0-day on linux

[SCHISCHKA]

Quote

Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them.

http://arstechnica.com/security/2016/12/fedora-and-ubuntu-0days-show-that-hacking-desktop-linux-is-now-a-thing/

[manikyath]

to be honest the whole idea of "being immune to virusses" on pretty much any platform needs to disappear.

 

it's simply a matter of a very low adoption rate on linux (and to a lesser extent mac, compared to windows offcourse) that makes it less interesting, and thus makes people less inclined to go look for issues.

[SCHISCHKA]

17 minutes ago, wrathoftheturkey said:

Well shit.

Use your web browser inside a virtual machine running a live cd; use wget to download media content and transcode everything into a different format before playing

[SCHISCHKA]

5 minutes ago, wrathoftheturkey said:

It's more the open source with Linux -- you hope the problems get spotted by the good guys first, which they usually do

different development & distribution model. I wouldn't have been able to provide this news if i wasn't subscribed to various linux user groups and alumni at a good university. I find Microsoft updates take a lot more time to investigate and Apple news is buried within a pile of fanboy & marketing BS.

[/dev/God/Haruhi]

11 hours ago, SCHISCHKA said:

different development & distribution model. I wouldn't have been able to provide this news if i wasn't subscribed to various linux user groups and alumni at a good university. I find Microsoft updates take a lot more time to investigate and Apple news is buried within a pile of fanboy & marketing BS.

Which in turn allows for either prevention or patching. Or at least preventing "fanboy and marketing BS" which is a huge plus on it's own. Since nothing is 100% secure, at least it's good to know the risks you get exposed and get them fixed in a non disruptive manner when patches are out. Maybe is just me but doesn't it seem that lately Linux has been experiencing more bug discovery? Maybe it is just more press coverage. I don't follow every day news on this so I may be very well mistaken.

[Dat Guy]

It confuses me that people still think hacking a Linux machine was a new phenomenon. I remember Linux 0-days from the 90s.

At least the "L1n0x iz sec00r" narrative is finally coming to a halt. Less fanboy chitchat.

[elkenrod]

This is why I prefer Linux. 

 

As a layperson, I may not know the intricacies of how the exploit works, but I know how to make sure it doesn't.

 

 

[vorticalbox]

the exploit only gears the same access as you user so no root access but would allow them access to files in the home drive.