KDE struck by major security flaw

By Derek Sooman on January 23, 2006, 8:04 PM
Users of the popular KDE environment for Linux will be unhappy to hear that Linux vendors are warning of a serious security flaw affecting the software. This bug is the most serious to hit KDE for almost a year, and relates to kjs, a Javascript interpreter used by the Konqueror Web browser and other parts of KDE. Seemingly, an incorrect bounds check in the interpreter allows a heap based buffer overflow when decoding maliciously crafted URI sequences encoded with UTF-8. This could be utilised by a malicious attacker to crash programs using kjs, such as Konqueror. Exploits are also possible which would execute malicious code.

Security vendor Secunia, which maintains a vulnerabilities database, said the flaw was "highly critical".




User Comments: 21

Got something to say? Post a comment
Need_a_Dell said:
Linux users don't have too much to worry about, seeing as there are hardly any viruses targeting them. Most hackers and virus creators target the bigger boys. (ie. Windows) Hopefully a patch will be out for that soontime!
DragonMaster said:
KDE looks good and is user-friendly but IMO is not pretty good security and reliability talking. You don't know how many times I've got crashes from "kicker" on Fedora Core 4 and "kded" on Mandriva 2006.
vigilante said:
[quote]Most hackers and virus creators target the bigger boys[/quote]This is the most commonly accepted reason. Which I suppose is valid right now.But it does make one wonder just HOW secure Linux really is, if all the hackers turned their attention on Linux. Heck, it could possibly be just as bad, we just don't know because they aren't targeted.
Race said:
[b]Originally posted by vigilante:[/b][quote][quote]Most hackers and virus creators target the bigger boys[/quote]This is the most commonly accepted reason. Which I suppose is valid right now.But it does make one wonder just HOW secure Linux really is, if all the hackers turned their attention on Linux. Heck, it could possibly be just as bad, we just don't know because they aren't targeted.[/quote]My sentiments exactly.Suggestion: It would be nice if it were possible to delete your own posts. Some sort of malfunction has posted my original message twice![Edited by Race on 2006-01-24 00:36:58][color=red]Duplicate post deleted--Mictlantecuhtli[/color]
PanicX said:
[b]Originally posted by Need_a_Dell:[/b][quote] Hopefully a patch will be out for that soontime![/quote]Try reading the article.[b]Excerpt from the news article:[/b][quote]KDE released a source code patch at the end of last week, and Linux vendors have followed on with binary patches. Fixes are available directly from Ubuntu, Red Hat, Debian, Suse, Red Hat's Fedora project, Gentoo and others.[/quote]What, no 7 day wait? Amazing.
exscind said:
[b]Originally posted by Need_a_Dell:[/b][quote]Linux users don't have too much to worry about, seeing as there are hardly any viruses targeting them. Most hackers and virus creators target the bigger boys. (ie. Windows) Hopefully a patch will be out for that soontime![/quote]The statement is true, but not the disproportion that many people think. I think another reason is due to the lack of media coverage when Linux (via KDE) suffers an attack. But granted, an applaud to KDE is needed because the wait is much shorter than Microsoft's.
Mictlantecuhtli said:
[b]Originally posted by DragonMaster:[/b][quote]KDE looks good and is user-friendly but IMO is not pretty good security and reliability talking. You don't know how many times I've got crashes from "kicker" on Fedora Core 4[/quote]Kicker crashes [i]every time[/i] I log out from FC4.
paulwuzhere said:
This is very sad. I have always loved KDE. I used it with mandrake linux 9.2 Its really to bad there is a security flaw in it. Eh I liked Blackbox more anyway.
MonkeyMan said:
This is one serious security flaw. I'm sure there will be a fix to it, if its at all possible, but linux users should beware of this new flaw, because if executed, it could really make you one angry customer.
sngx1275 said:
The potential of a linux virus to completely destroy your system is much less than that of a Windows virus. Most Windows users are running with administrative priviliges 100% of the time. Most linux users are not.
DragonMaster said:
[quote]This is the most commonly accepted reason. Which I suppose is valid right now.But it does make one wonder just HOW secure Linux really is, if all the hackers turned their attention on Linux. Heck, it could possibly be just as bad, we just don't know because they aren't targeted. [/quote]And MacOS, UNIX and all of them too I suppose -- but [quote]Most Windows users are running with administrative priviliges 100% of the time. Most linux users are not. [/quote]So if a virus attacks, you lose your profile and not all the system. Still need to make backups -- but smaller ones.It's practically impossible to use Windows without being an admin : There's no box coming out and asking you for the admin password every time you need to have them. Instead, it's to log off, log on, do what you wanted, log off, log on.[quote]Kicker crashes every time I log out from FC4.[/quote]Lucky you! Me it's every time I close an app that has an icon in the system tray.
mentaljedi said:
At least they're not waiting 2 weeks like Microsoft does. Linux may have a flaw here or there but it doesn't cahnge their impressive record.
Didou said:
[b]Originally posted by DragonMaster:[/b][quote]It's practically impossible to use Windows without being an admin : There's no box coming out and asking you for the admin password every time you need to have them. Instead, it's to log off, log on, do what you wanted, log off, log on.[/quote]I guess you didn't know you could right-click on an executable & pick "Run as..." ? ;-)
Nic said:
You can even edit shortcut/icon properties to prompt for the admin password... ;=)
nathanskywalker said:
Well, both good and bad for everyone, Windows has always seemed to be the primary target, which is of course, very bad for windows users ;). Linux does not seem to have drawn too much attention to itself yet, and it's response time has been impressive. Of course in time, this may change, so getting used to several platforms would probably be a good idea....
PanicX said:
[b]Originally posted by Didou:[/b][quote][b]Originally posted by DragonMaster:[/b][quote]It's practically impossible to use Windows without being an admin : There's no box coming out and asking you for the admin password every time you need to have them. Instead, it's to log off, log on, do what you wanted, log off, log on.[/quote]I guess you didn't know you could right-click on an executable & pick "Run as..." ? ;-)[/quote]Not always, for instance when trying to launch the "Add printer" function.
DragonMaster said:
[quote]I guess you didn't know you could right-click on an executable & pick "Run as..." ? ;-) [/quote] Is that a registry hack or something not available on Win2k?
sngx1275 said:
[b]Originally posted by DragonMaster:[/b][quote][quote]I guess you didn't know you could right-click on an executable & pick "Run as..." ? ;-) [/quote] Is that a registry hack or something not available on Win2k?[/quote]Must not be avaiable in 2k, I've done no registry hacks to my work machine, and I can select Run as...
Mictlantecuhtli said:
[b]Originally posted by sngx1275:[/b][quote]Must not be avaiable in 2k, I've done no registry hacks to my work machine, and I can select Run as...[/quote]You need to have (at least) "Secondary Logon" service running.
PanicX said:
Also, try holding down shift when you right click. It'll normally add the option for you.
yoyomama said:
Every Linux user should get used to both KDE and Gnome. Both are super easy to learn for users familiar with Windows; I've only been using Linux for the past 4 weeks and have no problem using either setup.Don't quote me on this, but I believe a (free) distribution like Suse (www.opensuse.org) gives you the option to choose either KDE or Gnome each time a user logs in.
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.