Review And Predictions For Security

Recently there was a big 0day exploit in the wild for the Java Runtime Environment. A lot of websites were hacked and they were distributing malware via the exploit. Oracle’s response was atypical, they got a patch out within a somewhat reasonable time and, beyond that, they’ve implemented a feature that allows Java to always prevent unsigned applets from running. That’s good news for users who need Java, and can’t just disable it.

On top of that Firefox has joined Chrome and now disables Java by default  requiring user interaction to let any Java applets run, whether signed or not. Firefox and Chrome hold a combined number of users that dominates browser market share. Millions of users who have moved to Firefox’s latest version will now have to click multiple times just for an exploit kit to begin.

The combination of these two new features means that Java is less of a viable target than it was so recently. It will likely take months for the effects of these changes to propagate throughout the world but at some point the majority of users will have Java denied by default.

And then what? Attackers will have a number of options. They can start focusing on local exploits paired with remote exploits, to get out of sandboxes that are now used in Flash, Chrome, and Internet Explorer 9/10. They can continue targeting Java, with less reliability. Or they can find a new target, maybe mass-spamming IM clients, attacking antiviruses, torrent clients, etc.

I can’t predict what hackers will or won’t do. Trends can start spontaneously, but we can predict that as Java’s security slowly improves, and as browsers take more and more responsibility for the plugin, successful exploitation of the plugin will decrease. Whatever attackers wind up doing we’re probably going to find some changes in the threat landscape in 2013/2014.

Finally Running Netflix On Linux

For years users of Linux have been finding workarounds to get Netflix running on Linux, primarily by running Windows in a virtual machine and then Netflix within that virtual machine. The reason for this is that Netflix will only run with DRM support, and although Linux has created projects that work with Silverlight content they could not recreate/ bypass the DRM.

Recently there has been a major advancement. WINE, the software used to run Windows software within Linux, has a few  patches that allow it to run Netflix on Linux systems. It’s not perfect yet, it’s a little choppy, but you can run Netflix straight from your Linux OS without having to resort to resource heavy virtual machines.

To get started just run the following commands in your terminal:

sudo apt-add-repository ppa:ehoover/compholio

sudo apt-get update

sudo apt-get install netflix-desktop

Launch netflix-desktop and enjoy! It’s really that simple. I’ve been watching Netflix on Linux Ubuntu 12.10.

A tip: if your video is choppy try playing it in full screen, this seems to improve performance.

With Steam coming to Linux and now a working Netflix player I think a lot of users will be taking a serious look at desktop Linux.

Donate to WINE so we can see continued improvements to an incredible project: http://www.winehq.org/donate/

Note: This is not a supported method for playing Netflix. But it works!

Windows 8 Metro Isn’t So Bad

Windows 8 ships with a new User Interface that’s gotten a lot of flack but the truth is that I’ve found it very easy to adjust to and it hardly differs from Aero for my usage. If you look at the UI as a whole, at every part, then it looks much further from Aero, but if you just focus on the parts that the average person is going to use… it’s really quite similar.

Here’s a picture of what I’m staring at 99% of the time I’m on my computer.

Image

Hardly a major change from Windows Vista or 7. The only noticeable change for me is the start menu, which is now a start ‘screen’.

Image

 

That’s a fairly large difference, but not wholly unwelcome. There are benefits, such as having live tiles and the large icons are easy to read, and there are downsides, such as being taken from whatever you’re doing and being put entirely into this new menu.

It doesn’t interrupt my workflow, personally. 

This isn’t really a review of the UI but I think people should understand that while as a whole the user interface is very different, when you cut down to the bits you’ll interact with, it’s almost identical to Windows 7.

And if you’re after security Windows 8 is going to outperform Windows 7 there, especially after further hardening.

 

Ubuntu 12.10 Will Include A Wayland PPA

The Wayland Compositor will be available to Ubuntu users via PPA. Though it’s not ready for stable release users will be able to install and test it out and track the progress.

Moving from X to Wayland yields various benefits and pitfalls and they’re not really within the scope of this blogs focus. Essentially they work with Compiz and have to do with your Graphic User Interface.

What’s more interesting about the move to Wayland is the separation of global hotkeys.

X Keylogging is pretty simple. It’s easy to demonstrate too. In the terminal (no root required):

xinput list

Now find the ID for your keyboard (11 for me).

xinput test 11

Now begin typing. You’ll quickly see your keys are appearing in the terminal. No matter where you type (sudo, gksudo, for some scary examples) your input will be logged. And without root.

This is because hotkeys for a single X service are global – any application can register hotkeys. An exploited process can both send and intercept all input if it’s running within the same X service.

Wayland separates hotkeys. They aren’t globally registered so one programs hotkeys should be isolated from the next. That’s how I’ve understood it at least but I haven’t read much – I can’t really find a ton out there. If anyone has more information on this leave it in a comment – thanks.

This vulnerability in X is fairly major and it’s been known and demonstrated for ages. Yet there’s no fix or any plans to fix this. It’s a bit ridiculous. With a compromised Pidgin process (for example) I can read any input to any other windows. If a user opens up truecrypt I get the input for their root password to GKsudo. I also get their Truecrypt password.

If they open up a terminal I can sniff their root password. From that point I can actually send the terminal my own input, from Pidgin, allowing me to do just about anything.

This issue doesn’t get enough attention.

Some Really Interesting Chrome Statistics

The following chart shows the usage of plugins over a 28 day period for Chrome users who opted into data usage monitoring. Really interesting. 99.9% of users used Flash at least once. A full 58% used the PDF reader. And only 12% used Java.

Plug-in name Percentage
Flash Player 99.9%
Chrome PDF Viewer 58%
Silverlight 26%
Java 12%
QuickTime 4%
Windows Media Player 2%

Mark Shuttleworth Talks About UI – Unity, Metro

This is a long article and it’s worth reading the whole thing. I just want to point out one tiny little piece that, after using Windows 8 since public release, I’ve found to be really true.

[In Windows 8] you have this shiny tablet interface, and you sit and you use  then you press the wrong button then it slaps you in the face and Windows 7 is back. And then you think OK, this is familiar, so you’re kind of getting into it and whack [Windows 8 is back].”

 This is exactly the situation I was in. I loved the new Windows 7’y metro style interface but all of a sudden I’d be in some full screen application. And then back and forth.