Survival Time for Unpatched Systems Cut by Half

[Brian Kelsay]

Brian Densmore wrote:
> So I guess the pertinent question is, are Linux IM clients susceptible 
> to this kind of <spellingnazi> virii </spellingnazi>? That is of course
> assuming some enterprising young cracker writes one for Linux systems?
> Of course if I was a cracker, I'd write cross-platform virii, and have friendly
> download pop-ups letting the user choose the proper poison pellet. 
>

I would say it is somewhat vulnerable in that the same ports must be 
open for clients on the same network.  BUT the method of attack is the 
sticker.  In Monty's case, if your client is set to allow anyone to send 
you a message or if you accept messages from people in your list and one 
of those is an infected Winders user, then yes you might get the popup 
msg.  Then if you were dumb enough to click on the web link it would 
launch your browser to that site.  At the time that it tries to install 
the plugin, if one is avail. for the Linux browser, it might install. 
If the user is not allowed to install programs or plugins (winders or 
Linux), then the plugin is dead.  On Winders though, if they use a web
based IE exploit, one of the many, many buffer overflows or cli access 
exploits, then the attacker can get elevated privileges and root access. 
  You're dead.  The plugin would have to have dual payloads to get both 
windows and Linux.  This is why you don't run as root.  If you put your 
user ID in the root group, you're asking for it.  I'd say that Java or 
flash, possibly C payloads could be delivered in this manner and have 
code to distinguish what environment they are in.

----------------------------------------------
Somewhere there is a village missing an idiot.