You are viewing a single comment's thread from:
RE: Linux Users in Danger - Secure your PC Immediately
I'm half tempted to downvote this post, but I'll hold off because I'm going to assume you're just acting out of concern and not trying to clickbait.
I've reviewed the CVE you linked. There is absolutely no evidence apt was compromised. The only thing the bug report is saying is that apt was failing to check signatures properly on packages installed by it.
That is a WORLD away from what you're saying which was that apt itself had somehow been compromised.
Here's how to deal with this problem if you're on an APT based distro.
Open a command line and type
sudo apt update && sudo apt upgrade -y && reboot now
It'll update apt to one that's checking signatures properly and reboot your computer.
Yeah but if you get attacked when you are doing the update, it is over. So everyone has to hope no attacker is lurking waiting for them to do an
apt-get update.I agree with the original post, if your security matters, in terms of $$ you would loose, you need to rebuild
aptfrom a trusted source.There is no evidence apt itself has been compromised and a simple check of the file hash would tell you if it had.
You can't get MITM (which is the only way this attack vector actually works) if you're downloading via https from official repos, which is what 99.99% of users are doing. Even the PPA repos are served over https. The repos are doing their own signature checking prior to allowing the package maintainer to upload a package.
This is literally a question of "does the file hash match the published hash?".
If yes, then there is nothing to worry about. If no, then where did you obtain your copy of apt from? Either way, an apt update (as per the CVE) will fix this.
This isn't gentoo or Arch. You don't rebuild apt from a trusted source, you download it from your distro maintainer. Apt isn't what's compromised here, it's just that some of the packages apt can install could be handled incorrectly if their signature validation check failed.
Your advice is very, very bad. It's ignorant and borders on dangerous. I just thank god no PHB's are reading steemit for IT advice.
This is a bug in apt, which is just a program. An important program, but still it's just part of user space. You're asking people to revert the entire OS including the kernel to a state where the apt bug would still be present, but they would have rolled back any and all updates since the last distro release was cut.
Following this advice would leave their system vulnerable until such time as the system had finished updating. When the system updated it would be doing the exact same thing I just recommended.
There is no example of this being exploited in the wild. No packages are missing signatures, nor do any known packages have bad signatures.
Just apt update and be done with it.
When I say rebuilt I mean install/update or whatever to the fix version. You join my point when you said you need to check the
hash, i.e a trusted source is required. I am not saying https is not enough, I said that that if you had doubt , you should forget everything you have update recently. This CVE is hard to exploit, normally. But you can't just brush the scenarii where it is relevant.also yeah it should be so dramatic
But if APT is compromized, then the game is over, any malware can reside on your PC. And you cannot trust any hash from that PC, since there exist malwares that could modify it. This is the biggest type of risk there is, when the updater itself could be compromized.
Hurt the messenger....? I just try to help people, because many people here have hundreds of thousands of dollars worth of assets on their computer. Steem private keys, bitcoin private keys, most people are heavily exposed to risk.
Yeah 99% of the time things will be fine, but if that 1% of the time somebody loses like 500,000$ because nobody warned him. Who's fault will that be?
Better stay prepared for all threats.
It'll be yours if they follow your advice and end up in a worse situation, that's why I'm being so adamant about this.
You're not "overblowing" the problems, you're completely mis-stating the threat, the attack surface and the proper solution.
You don't comprehend the threat, it's nature, or it's applicability. You don't seem to understand that this is not an exploitable vulnerability in the general sense. You would have to have downloaded apt from an untrusted source, and then you would have needed to download a compromised package and that package would need to drop malware and get it to run. This isn't likely at all. In fact I'm going to go out on a limb here and say there is a 0% chance this has happened to any one at all, ever since https and app signing were introduced.
Again this isn't windows, we don't just install random crap from random sources via apt. There are other checks in place and you can trust these checks, because lots and lots of people are watching for exactly this sort of shenanigans.
It and your proposed solution leaves the system in an unpatched state where there are known exploits. It doesn't fix it, it makes it worse.
Here is a list of 72 known exploits your "fix" re-introduces.
https://www.ubuntu.com/usn/
You'll notice that the exploit you're concerned about is still on that list. So your solution doesn't fix the problem it just adds 71 more in addition to the heavy work of re-establishing the system configuration after an FFR. Which in the case of some computers requires manually editing config files just to get the internet functional, raid drivers running and don't get me started on 3D graphics.
This isn't windows. APT is pulling from https URLs. The URLs are all well known as is their complete contents including the hashes of the files hosted there. There isn't a "broken APT" circulating in the wild. There is no package in any repo that had this bad sig issue. There isn't malware in any of the official repositories. They all pass independent signature verification. Independent, as in a lot of people and systems are checking these things every single time we update our systems. With more than just apt and more than just one hash algo.
So yes I'm going to be a bit dramatic here. You're giving bad advice. I mean it, this is genuine bad advice. You either didn't read the CVE, or you completely misunderstood it. But your advice weakens systems that BTW have very likely already patched against this with no ill effects.
I am not sure I follow you. What are you talking about here?
I have said in my article that if the solution is fixed, only then download he latest release. I was also implying but forgot to say that the latest "stable" release should be downloaded, if that is a more accurate explanation, i will edit it in the article.
Other than that how is it actually more risky to update than to leave the current flawed version on the PC?
Just for the record , I am not using Ubuntu. I was referring to Debian mostly.
The "latest release" is an iso file that was cut months ago. For 16.04 LTS that would mean rolling all the way back to April. For 16.10 it's only since October, but that's still a ton of vulnerabilities to reintroduce into your system.
It's not like there's a daily snapshot you can grab, unless you're living dangerously and going onto one of the dev branches.
And you know, this guy's "fix" would also re-introduce the flawed apt package, which likely would already have been fixed. I don't understand why this guy has such a hard time understanding why he's wrong.
Well then just update the system manually. Get the latest apt package updated first, and then download the rest of the updates.
It's bad if the new releases come out monthly, people need rely heavily on the updater then.
You can always just use a RPM based distro until a new ISO image comes out for debian OS's for example.