I saw an interesting (at least to me) article in Linux Journal recently (see http://www.linuxjournal.com/article.php?sid=7366&mode=thread&order=0 for the full text). The author, Don Marti (editor-in-chief, Linux Journal) says a couple of things that the Linux software development community would be well advised to listen closely to, IMHO.
In particular, he says, "All that's keeping us safe is that most programs for Linux don't make it easy to run attachments from incoming mail. But combine the right vulnerability in a common desktop app with a little social engineering, and you've got a Linux worm." Additionally, "With today's larger Linux user base and more desktop standardization, the next vulnerability will be a bigger risk." I think that we're seeing several of the features that have plagued the security of desktop Windows systems being increasingly incorporated into the desktops of Linux systems. Further, the Linux desktop is truly maturing and, along with that, we're getting closer and closer to a critical mass of users. So why do I feel that this is a Secure Coding issue and not (just) an OS security issue for Full-Disclosure and similar groups to discuss? IMHO, the issues that we're dealing with get straight to the heart of the design of the desktop environments that are being deployed. Sure, Linux has grown up with an arguably better separation of administrative and desktop users from day one, but even just a user-level email worm can be pretty frustrating (in case you haven't noticed from the size of your inbox in the last month or so). Case in point, I just got KDE 3.2 on my PC over the weekend (thanks to the Debian-Sid distribution), and I'm seeing the email/PIM environment appearing more and more like Outlook. I can open an email attachment straight into its respective app with just 2 clicks of the mouse (although that's actually been possible for some time). That's not to say that doing so is a good idea, but give the common desktop user the _opportunity_ and... I, for one, sure hope that the Linux world doesn't feel the need to learn the hard way. Cheers, Ken -- KRvW Associates, LLC http://www.KRvW.com
