Where's the "one click exploit" for Linux?

Mark Kent · External Since: Feb 09, 2005 Posts: 5545

begin oe_protect.scr
Jim Richardson <warlock.DeleteThis@eskimo.com> espoused:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sun, 1 Oct 2006 13:09:31 -0500,
> Erik Funkenbusch <erik.DeleteThis@despam-funkenbusch.com> wrote:
>> On Sun, 01 Oct 2006 19:33:12 +0200, Richard Rasker wrote:
>>
>>> Op Sun, 01 Oct 2006 18:01:29 +0100, schreef B Gruff:
>>>
>>>> On Sunday 01 October 2006 10:46 Richard Rasker wrote:
>>>>
>>>>> But I have one request: please show me those one-click exploits for Linux.
>>>>> I can't seem to find any, except for Windows (where they seem to be the
>>>>> rule rather than the exception).
>>>>
>>>> How about this:-
>>>>
>>>> http://www.whitedust.net/speaks/3006/
>>>
>>> Well well, that'd be one of the very first. OK then, if this one is for
>>> real and Linux proves vulnerable, my question is answered - alas :-/
>>
>> Which just proves my point. Lack of attack does not equal lack of
>> vulnerability. You really need to stop with this attitude of thinking
>> you're immunue until proven otherwise.
>
>
> you keep coming up with that strawman. We don't claim Linux is immune,
> merely that it is far less vulnerable than MS-Windows.
>

Except it turned out that they were making a false claim, and there is
no such one-click exploit for Linux.

Of course, nobody claims total immunity, however, the malware ratio from
Windows to Linux is >> 100,000:1 That means a typical Linux machine is
over 100,000 times safer for normal usage. That's 5 orders of
magnitude, and is not to be sniffed at.

--
| Mark Kent -- mark at ellandroad dot demon dot co dot uk |
Q: Heard about the <ethnic> who couldn't spell?
A: He spent the night in a warehouse.

Mark Kent · External Since: Feb 09, 2005 Posts: 5545

begin oe_protect.scr
Johan Lindquist <spam RemoveThis @smilfinken.net> espoused:
> So anyway, it was like, 13:36 CEST Oct 03 2006, you know? Oh, and, yeah,
> Linonut was all like, "Dude,
>> After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:
>
>>> As long as there are vulnerabiliies, there is no security.
>>
>> All right, get into the full lotus position right now and achieve
>> nirvana.
>>
>> Another dogmatic whopper by Erik Funkenbusch.
>
> "There is no security", sounds like a catchphrase from the upcoming
> blockbuster "Matrix IV - recracked".
>

Oh no no please - not another run of that rubbish. Mrs Mark is a big
Keanu Reaves fan, but even she gave up half-way through the last one -
it was just total tosh.

--
| Mark Kent -- mark at ellandroad dot demon dot co dot uk |
Q: Heard about the <ethnic> who couldn't spell?
A: He spent the night in a warehouse.

Richard Rasker · External Since: Jul 27, 2005 Posts: 170

Op Tue, 03 Oct 2006 19:02:46 -0500, schreef Erik Funkenbusch:

> On Tue, 03 Oct 2006 21:03:27 +0200, Richard Rasker wrote:
>
>> Op Sun, 01 Oct 2006 19:33:12 +0200, schreef Richard Rasker:
>>
>>> Op Sun, 01 Oct 2006 18:01:29 +0100, schreef B Gruff:
>>>
>>>> On Sunday 01 October 2006 10:46 Richard Rasker wrote:
>>>>
>>>>> But I have one request: please show me those one-click exploits for Linux.
>>>>> I can't seem to find any, except for Windows (where they seem to be the
>>>>> rule rather than the exception).
>>>>
>>>> How about this:-
>>>>
>>>> http://www.whitedust.net/speaks/3006/
>>>
>>> Well well, that'd be one of the very first. OK then, if this one is for
>>> real and Linux proves vulnerable, my question is answered - alas :-/
>>
>> OK, it turned out it wasn't for real (ah, the wonderful feeling of always
>> taking every possibility into account) - it was a hoax.
>
> It wasn't a hoax. It was a real vulnerability that the Mozilla team has
> responded to.
>
> The comments were apparently taken out of context, though. The presenter
> said "I have not succeeded in making this code do anything more than cause
> a crash and eat up system resources, and I certainly haven't used it to
> take over anyone else's computer and execute arbitrary code."
>
> What he's saying is that he hasn't figured out how to make it execute
> arbitrary code, not that the vulnerability isn't capable of it.

Proving that something isn't possible, is, um, not possible. And that's
proven. Or not, actually.

>
> In other wods, it's a DoS exploit, but could be an arbitrary code
> execution exploit.

Every software flaw is a potential code execution hazard. The keywords
here are "potential", "could be", "may".
There must be countless ways to craft a DoS in Javascript. But none of
them so far have led to remote code execution. Heck, every now and then I
stumble on web pages with semantic Javascript errors, resulting in 100%
CPU usage, or (indeed) Firefox crashing. And even without Javascript there
must be lots of ways to choke even the best of browsers.

Yes, these things must be taken seriously, otherwise we'll be in the same
appalling mess Microsoft has got itself into. But no, it's no good to cry
wolf every time a simple software flaw rears its head.

>> So, all you Microsoft apologists and Wintrolls, the question still stands
>> strong: where is the one click exploit for Linux? Well?
>
> Back to this lame duck argument again, eh?

It *was* the question I wanted answered in this thread, yes. And so far,
it isn't answered.

Richard Rasker

--
Linetec Translation and Technology Services

http://www.linetec.nl/

William Poaster · External Since: Sep 10, 2006 Posts: 125

On Tue, 03 Oct 2006 22:11:04 -0500, Linonut wrote:

> After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:
>
>> It wasn't a hoax. It was a real vulnerability that the Mozilla team has
>> responded to.
>>
>> The comments were apparently taken out of context, though. The presenter
>> said "I have not succeeded in making this code do anything more than cause
>> a crash and eat up system resources, and I certainly haven¢t used it to
>> take over anyone else¢s computer and execute arbitrary code."
>>
>> What' he's saying is that he hasn't figured out how to make it execute
>> arbitrary code, not that the vulnerability isn't capable of it.
>>
>> In other wods, it's a DoS exploit, but could be an arbitrary code execution
>> exploit.
>>
>>> So, all you Microsoft apologists and Wintrolls, the question still stands
>>> strong: where is the one click exploit for Linux? Well?
>>
>> Back to this lame duck argument again, eh?
>
> (This is the guy whom DFS claims rulez COLA?)

Well we know Doofu$ is stupid, & as for Ewik ruling COLA....how come he
can't answer his own claims?
There are *still* unanswered questions about his claims, such as:

1] Where does NTFS store its journal?

2] How did the Morris worm spread by email?

3] What about using MS TT fonts on Linux?

4]Can he provide evidence for plenty of examples of competing ISO
standards?

5] Why is ok for *him* (without asking permission) to publicize other
people's personal information, but if a person chooses to
publicize personal information about *himself*, it is "inappropriate".

6] What about the "thousands of root exploits per month" he claimed,
& was then found to be making it all up?

7] How does Funkenbusch *know* Roy didn't come by the picture he's
ranting about, honestly?

8] How does he *know* that Roy does /not/ have the legitimate right to
use the picture despite what the copyright owner claims is the case?

The list of unanswered questions about *his* claims is growing, but Ewik
The Weasel will probably continue ignoring it.
His credibility rating is -9999 AFAIC.

--
Never argue with a wintroll, they drag
you *down* to their level of stupidity,
then beat you with their experience.
-- Paraphrased, with acknowledgement to Dilbert --