Re: Dynamically Enable Xwindows?

jKILLSPAM.schipper@xxxxxxxxxx wrote:

Again, I don't know much about graphic cards, let alone very old ones.

Running X on your computer will not make *that* much of a security
difference; certainly less than running, say, Firefox [1].

Firefox, as other browsers, speaks directly to a universe of mostly
broken code that is usually unable to pass the W3 Consortium validation
(in most cases it is too far from being acceptable). Not to mention
the large amount of add-ons in the form of javascripts, flash and so on,
added to make a useless URI look pretty. I am not surprised about
the vulnerabilities related with something that is as open on its
specifications as the languages and tools used in relation with the
world-wide web.

Stopping the X11 server is not necessary to exploit the graphic card;
injecting some additional code is sufficient, and this can be done
without stopping it.

Indeed, it is the base for injection attacks. I was just thinking
on the simple example provided in the paper, that requires /dev/xf86
to be available for opening.

There are some ways to limit root's powers, noticeably securelevels, but
they tend not to work that well.

I certainly do not trust a lot on securelevels. A secure level can
be easily changed (after a reboot at most) and usually restrict the
ability of managers to monitor the servers (e.g., reading S.M.A.R.T.
reports)

[1] Which is in many ways a very good program, but it does have much
more vulnerabilities than any other program I run on a typical desktop
machine.

It seems that both Coverity and the code auditing being done
are discovering a lot of bugs in firefox right now. We have a new
release each two weeks or so fixing some important bugs. I hope
that this code auditing process will make firefox as secure as
typical desktop applications soon.

Cheers,
Igor.
.

Relevant Pages

  • Re: question to mfers here who know shit bout computers, from Trav
    ... Personally I don't know anyone who's used both IE and Firefox or Opera ... what was secure last week might not be so ... isolating infected machines, and locking down everything. ...
    (rec.martial-arts)
  • Re: Firefox
    ... IE is still not a secure browser, if it was, users ... > would not have so many tool-bars and spyware being installed on their ... to Firefox will not stop users from doing dumb things. ... > more secure browser by default than IE. ...
    (microsoft.public.windowsxp.general)
  • RE: [Ring-of-Fire] [Full-Disclosure] IE is just as safe as FireFox
    ... The guy has never run Firefox, ... The reality of the situation is that IE is not secure for the average ... I would never let my internet-naiive mother use Internet ... Microsoft's security and mangement product manager (Ben English) says... ...
    (Full-Disclosure)
  • Re: Losing Control of my Computer
    ... >> though works better with some of the IE shells that secure it somewhat ... >> better though only because they change behaviors of IE. Firefox loaded ... >> Turning someone loose with the nixs without the knowledge of the dangers ... > before the patch came out they blocked the security hole by redirecting ...
    (alt.computer.security)