January 20, 2006 11:44 AM PST

KDE flaws put Linux, Unix systems at risk

By Joris Evers
Staff Writer, CNET News.com

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Homeland Security helps secure open-source code
January 10, 2006; Apple opens up open-source effort
June 7, 2005; Major browsers bitten by security bugs
October 20, 2004

A serious vulnerability has been found in the popular KDE open-source software bundle. The flaw, deemed "critical" by the research outfit the French Security Incident Response Team, could allow a remote attacker to gain control over vulnerable systems. KDE is a desktop software package for Linux and Unix systems and includes the Konqueror Web browser and other applications.

The vulnerability lies in the JavaScript interpreter engine used by Konqueror and other parts of KDE, according to a security advisory posted Thursday. An attacker could craft a special UTF-8 encoded URI sequence to exploit the flaw, according to the advisory. For an attack to be successful, a person would have to visit the attacker's Web page using Konqueror, the FrSIRT said in its alert. Affected are KDE 3.2.0 up to and including KDE 3.5.0. Fixes are available.

Add a Comment (Log in or register) 25 comments (Showing first 20 comments)

?nix Has Flaws?
by mooredynasty January 20, 2006 1:23 PM PST: I thought only Windows had these problems...; Reply to this comment View all 3 replies
Processing

No system is truly safe
by thomaskray January 20, 2006 1:43 PM PST: Just goes to show that ANY system can be at risk. No OS is really any better than the next.; Reply to this comment View reply
Processing

But in this case
by LouisC January 20, 2006 1:59 PM PST: like i said in my other reply, it's not a fault in the OS. It's a fault in the webbrowser of a specific DE. There are tons of other browsers out there (Epiphany, Opera, Mozilla, Firefox, etc...) that don't have this flaw.; Reply to this comment

Attack Surface
by pythonhacker January 21, 2006 9:27 AM PST: As someone said in the comments, no system is 100% secure. A better way is to look at the "attack surface" presented by a system to malicious code. This is directly related to the security of the system.

Unix/Linux systems, which by employing user/process privileges reduce the attack surface considerably when compared to Windows which has a much larger attack surface due to flawed design, such as an integrated browser among others. Linux provides additional security features to reduce the attack surface with features such as LSM (Linux Security Module) and SELinux.

For example, if the same vulnerability was present in say I.E the attack surface would have been much greater than KDE due to the tight integration of I.E with Windows. In Linux this is much reduced due to the inherent security advantages of the Unix OS.

The next time you see a security alert about an OS, it helps to think about the attack surface it exposes. It gives a better sense of the actual vulnerability of the system to the flaw than an alarmist headline.; Reply to this comment View all 2 replies
Processing

Does ANYONE use Konqueror on the web?
by matt5hansen January 21, 2006 4:45 PM PST: It's a crappy browser for the web. This certainly is not headline news.; Reply to this comment View all 3 replies
Processing

just userspace
by markhahn January 23, 2006 8:55 AM PST: unfortunately, the media is so used to reporting windows vulnerabilities that they don't realize that a user-space compromise under *nix is very far from critical. sure, it might inconvenience _a_ user. but it doesn NOT put the _system_ at risk.; Reply to this comment View reply
Processing

Necessary clarification
by petrus4 January 23, 2006 10:43 PM PST: The builtin security system of UNIX/Linux systems is such that a user would need to be running Konqueror via the root or superuser account in order for it to compromise the entire system. Strictly speaking, hardly any processes on a properly controlled system should be using the root account at all...Virtually everything should be delegated to well-defined, limited, sub-user accounts. Protecting against these types of exploits is precisely why this security system exists, and if the system is used properly, such exploits are not a major problem.; Reply to this comment

Linux flaw(s)
by aqvanavt January 24, 2006 7:01 AM PST: I think people should realize that as Linux expands the more vunerable it will become to malicious hacking. Which is pretty weird considering that you can contribute to it's evolution with out being destructive.; Reply to this comment

See all 25 Comments >>

Latest tech news headlines

Research: Worldwide mobile sales up almost 12 percent last quarter
Posted in News - Wireless by Caroline McCarthy

August 28, 2008 7:06 AM PDT
British man to face hacking charges in U.S.
Posted in News - Security by Tom Espiner

August 28, 2008 7:03 AM PDT
Video: Democratic convention, day 3 recap
Posted in News - Politics and Law by Jonathan Skillings

August 28, 2008 7:01 AM PDT

RSS Feeds

Add headlines from CNET News.com to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
After flight delays, FAA may add backup system
The Federal Aviation Administration plans to upgrade its decades-old technology for flight-plan processing and potentially add a third backup system.
Gallery
Images: IE 8 rising to the competition
Military Tech
New binoculars make the most of mirage
Military looks to new binocular system to penetrate heat haze.
Outside the Lines
EIC Squared: Psystar vs. Apple, Cisco vs. Microsoft, Dell's cloud
On this episode of the EIC Squared podcast, CNET News' Dan Farber and ZDNet's Larry Dignan discuss the week's news.
Video
Democrats: Twitter, text, or telephone?
News - Wireless
Research: Worldwide mobile sales up almost 12 percent last quarter
The only global region showing a dip in handset sales was western Europe, according to market research firm Gartner.
Video
Bigger blogger presence at DNC
News - Politics and Law
Video: Democratic convention, day 3 recap
Vice presidential nominee Joe Biden gives the climactic address of Wednesday evening, following a speech by former President Bill Clinton.
News - Cutting Edge
Rocket Racing League takes off with new engine, DKNY
The league, an aspiring Formula 1 for rocket racing, chooses a new liquid oxygen-alcohol engine from Armadillo Aerospace, a suborbital space company founded by Doom creator John Carmack.
Gallery
Photos: Empowering youth with computers
Inside CNET Labs Podcast
Inside CNET Labs 10.5: Sometimes it's ok to drink wine alone people!
Episode 10.5 of the Inside CNET Labs Podcast
Green Tech
GE reshapes the future of wind power
How to make wind 10 percent of electricity generation? Funky-shaped turbine blades, high-tech materials, and smarter grid connections, says GE's head of wind research.