Indeed. This is one of the reasons I use the SELinux sandbox to run my browser: there are a lot of ways that a browser could become a vulnerability. I would like to think I would always remember not to copy/paste from a website into my terminal, but the truth is that I could easily forget -- if I were in a hurry, if I knew the guy who made the website (but did not stop to think that someone might have hacked into the server), etc. Unfortunately it is hard to advise that everyone do this; the sandbox is very restrictive and basically incompatible with how most people use their computers.
About that, recently I started to watch some videos about SELinux, and I tought it could be a good idea to use it for isolating some likely-to-leak software (e.g. Skype).
I don't understand what it is but there is a culture in Ruby/Node to make installation "easy" to the extent that it is dangerous and, worse, offer no documented alternative.
Installing rvm shouldn't add lines to my .zshrc without prompting me. That behavior would be outrageous anywhere else but in Ruby land it's normal.
This then dumb for at least two reasons. I never copy-paste commands because no learning occurs. If you want to work at the command line, you have to work. At the command line.
Given the high price relative to the number of consumers that might be attacked with this software, I'd bet that it will mostly be purchased by people who want to do spear fishing.
26 comments
[ 3.0 ms ] story [ 67.2 ms ] threadIt is not a real remote exploit due to any flaw in Linux, rather it is something the purveyors trick people into installing via "social engineering".
One very simple way to get a sandboxed browser is to run this command (my irony meter is going off the charts here):
sandbox -X -t sandbox_web_t firefox
However, that will prevent any persistence between sessions, so you probably want to do something more like this:
sandbox -X -H /path/to/some/directory -t sandbox_web_t firefox
My recommendation is that you read the man pages and experiment a bit.
Nothing wrong with showing commands and examples to be used. It's the cut-and-paste aspect that's an issue.
My first action was to search through my package repos (Debian) to see if that sandbox command is known to my packaging system (it's not, hrm...).
Nothing is safe.
Installing rvm shouldn't add lines to my .zshrc without prompting me. That behavior would be outrageous anywhere else but in Ruby land it's normal.
Switch to that user before running any code you are not sure about.
LD_PRELOAD? ptrace?
I googled but only found ways of doing this that are Win32-specific.