Thursday, September 1, 2011

Installing software direct rather than package archives - Ubuntu

A cautionary tale regarding self-installing a browser on Ubuntu.

Ubuntu has a protection system labelled 'AppArmor'.

It's big strength is in protecting users from themselves, when it comes to 'Install Me Java' type popups.

Above is an example of what I refer to as 'Install Me Java' type popups.

Without being a Java expert, the user is giving some Trust to the publisher (wisely or unwisely) as to what the code will do with their computer.

AppArmor is a resident protection system, that is configured (by default) to work with a standard Firefox install*

(*By standard Firefox install, I mean listed at and installed using Ubuntu supplied tools such as Synaptic)

What happens if I install my own browser? Am I protected?

You are still afforded some protection, however AppArmor is not intercepting script execution (Java)

Can you give me an example of why this is a bad idea?

As it happens, Daniel Dieterle has a great article that illustrates the dangers very clearly.

The title probably needs a bit of qualification, and there should be some more clarification regarding the target system (see next paragraph)

How would your system be different & reaction to that article:

Okay, well your target system needs a bit of description here - did Daniel install Chrome himself?

Official release of Ubuntu (as far as I know) has Firefox6 and a stripped version of Chrome named Chromium, however that article seem quite particular in saying Chrome.

To reiterate my previous point:
If you install a browser yourself (manually or manually from ppa) your system AppArmor resident protection, will not give you the same level of protection as an officially supported browser release.

Solution: Stick with Firefox6 (installed by default), or disable Java scripting in any browser you self install.

Both are simple solutions (see image below)

If you *choose* to make your system 'non-standard', then you must also accept responsibility for any extra security precautions then required.

Running Firefox6 with Java disabled is the most secure option.

Running Firefox6 (with no self tinkering, and so benefiting from AppArmor protection of Java scripts), is a fairly secure option.

Self installing Chrome and leaving Java scripting activated is the least secure option. Security conscious users never choose the least secure option.

My browser is Official Ubuntu Firefox 6 and a AppArmor failed to intercept Java script?

Then post the output from the following command:

sudo egrep -i '(profile|apparmor)' /var/log/kern.log

...into a bug report on launchpad.

Summary in two sentences:

Malicious java should be stopped by AppArmor from executing withing Firefox6.

If you still feel a 'stock system' is vulnerable or firefox6+java is not blocking malicious scripts and reporting so in /var/log/kern.log, then file a bug and help close the hole :)

No comments: