Ok, I’m a month late to the party, but I came across this article yesterday, and at first I brushed it off as “Windows problem”, but then I gave it a second thought. Can Linux be affected by these drive-by malware attacks? I know they can’t get deep into the OS without root/su access, but can they mess things up enough to be significant? I mean, trashing /home is pretty bad, and installing browser plugins would be bad too (can these be installed without root access)?
Theoretically YES browser plugins could be installed … and is one of the reasons behind Chrome/Chromium now requiring PPAPI plugins (which are sandboxed) and refusing to work with NPAPI plugins which aren’t.
(I doubt if plugins could be installed via “drive by” without some kind of previous malware plugin that was accepted with user intervention though)
But they shouldn’t be able to break out of your home folder.
But could malware trash your /home folder? Could it copy the contents to some remote site?
Chrome used to allow plugins to be installed without user knowledge, I’ve had to disinfect Windows installs myself (going back a year or two here though). I always thought that was crazy. It’s scary considering how ubiquitous ads are now, if they are using javascript to deploy malware on legit sites, it just makes it harder to protect your personal info.
Again, theoretically YES … and why sandboxing is becoming a more common requirement for plugins.
As I said it’s a requirement for PPAPI plugins … so even if Chrome allows other PPAPI plugins to be installed without user intervention (something that I’d seriously rally against if it’s true), if Google are doing their job properly they should be sandboxed from the rest of the system.
I agree with Google re properly sandboxed plugins … just not sure if I’m quite so happy they’re trying to use their weight to force their timescale on the world … leaving Chrome incapable of using JAVA, as Oracle only do an NPAPI plugin … good thing, or bad thing, I can’t quite decide.
I know Java 8 is on the horizon, will that address the issue or is it completely seperate?
I’m not sure how much use Java plugins actually get, the only one I’m aware of is Speedtest. Maybe the nVidia site too?
Blocking is a step too far imo, user confirmation is all that’s required as it would prevent these things running amok. Sandboxing is the way forward, but should work like requesting admin rights - when required, prompt the user. So, if a plugin needs to break out of its sandbox for whatever reason, it should prompt the user
I know Java 8 is on the horizon, will that address the issue or is it completely seperate?
Dunno :o and as I don’t really use any sites that require JAVA I’m nit really that interested … more that I’m not if I consider Google to be abusing their position to try to force the issue through at their pace.
That said, they gave plugin devs (and everyone else) plenty of advanced notice … and it’s certainly a better way forward.
And at the end of the day there’s nothing stopping you (for now) using Firefox if you want NPAPI plugins … I say “for now” as I think firefox have plans to drop plugins altogether:
Good, maybe I’m old school but I don’t like plugins. As in, I’ve never seen any that I’ve thought useful (that haven’t later been adopted as native, like Adblock). The only one I use is HTTPS Everywhere, which I think is now a native option in Firefox.