[Madlug] Adobe Flash - Possible Trojan Horse?

[Marcin Antkiewicz]

> With that in mind I think I'm going to look into running firefox as a different
> user with the aid of kdesu (gksu) or something.  The attack vectors are just
> going to keep piling up and the malware is going to get more sophisticated.
> I'd rather not have an Adobe/Java/blah  plugin vulnerability sending my
> ~/.ssh/id_dsa key off to timbuktu someday. :/

I know, ahem, people who have dedicated users for running man pages, 
running 3rd party scripts, etc. That's one way. I know another madlugger, 
who has apache/php/gallery running in OpenBSD systrace jail [0] (at the 
cost of a few hours of mundane work).

read [1]

The problem with your idea is that, at this point, most attacks targetting 
browsers will abuse vast holes in the browser trust (err, security) model.

It seems that there is more demand for your cookies, session data, and 
whatever is in your firefox tabs, than there is for your ssh keys. su will 
not help with that much, because it's still the same user (see [2] for a 
collection or random links).

What you need is a browser that has a working security model, and is 
treated as potentially hostile "DMZ app", rather than something that "is 
behind the firewall".

see the Shmoocon presentation about Jikto [3] (130 MB)

--
Marcin Antkiewicz

[0] http://www.openbsd.org/cgi-bin/man.cgi?query=systrace&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

[1] http://ajaxian.com/archives/dangers-of-remote-scripting

[2]
http://www.securityfocus.com/archive/1/442452/30/0/threaded
http://shiflett.org/articles/foiling-cross-site-attacks
http://tech.rufy.com/2006/06/javascript-based-firewall-immobilizing.html
http://www.symantec.com/enterprise/security_response/weblog/2007/04/jikto_out_and_about.html

[3]
http://www.shmoocon.org/2007/videos/JavaScript%20Malware%20for%20a%20Grey%20Goo%20Tomorrow%20-%20Billy%20Hoffman.mp4