by Liuser on 12/15/16, 9:52 PM with 11 comments
by 234dd57d2c8db on 12/16/16, 12:43 AM
- always run your browser in a restricted firejail. this prevents browser exploits from reading your ssh keys. It also makes it much harder to pivot to a root shell or maintain a persistent backdoor because the filesystem is deleted upon jail exit.
- don't install multimedia applications on sensitive machines. My default install is ubuntu server with i3-wm,vim,git and other dev tools. No mplayer, no vlc, no multimedia. I listen to music on my phone if I want to jam out. The work computer is for work.
- use snapshotted VMs for interacting with sketchy files such as word docs, xlsx, mp3s, etc.
- default deny rules in iptables to block inbound connections
- static arp entry for the default route to prevent MITM on lan if possible. I do this on my work machine where the network is well known.
by anonbanker on 12/15/16, 10:57 PM
That's a big stretch, and a lot of hype for this "0-day". How many people are going to be realistically affected by this? Why is arstechnica making such hype about it?
Yes, it's novel that someone's been able to break out of gstreamer's sandbox using unimplemented (or poorly-implemented) 65816 opcodes, but that's about as far as it goes.
Thankfully, my Calculate (Gentoo) Linux KDE desktop with a VLC backend is completely unaffected by this "0-day", and everything on my network is safe.
by aiur3la on 12/15/16, 11:23 PM
Nope, patched already in debian and ubuntu.
by ryanlol on 12/16/16, 12:02 AM
How come it wasn't made a thing by similar exploits developed by others in the past decades?
Ars writes the strangest things sometimes.
by finchisko on 12/15/16, 10:53 PM
by nameless912 on 12/15/16, 10:27 PM
Right?