Debian User Forums

[bester69]

They say you must update inmediatly your internet browser, but I'd like to know what are really the dangers of using an outdated Internet Browser.

In windows systems there's the risk a malware software install by itself due to an outdated security hole in the browser, but we're discussing here about a linux system, when there's is no possibility a malware/virus component being insalled or executed by itself as it hasn't got the admin account.

So, What dammages can they do with an outdated browser, if they can't install anything in it?? (phissing maybe??). I'd like to know as ive using an outdated browser for a whole year.. , and i intent to keep doing it for regular use but virtual bank operations

[Head_on_a_Stick]

a linux system, when there's is no possibility a malware/virus component being insalled or executed by itself as it hasn't got the admin account

If you are using Debian with any display manger other than GDM then the X server itself is being run as root and any successful exploits in FF will be able to gain full root access to your system.

https://www.debian.org/releases/stable/ ... uires-root

If any security fixes have been published then the exploits are widely known and will be tried by every script kiddie, to not update is sheer foolishness and this is the reason why FF & Chromium are some of the only packages in the stable release which are kept up to date.

There are also _many_ other ways to compromise the security of the average Linux system and gain elevated privileges, you are very naive.

https://en.wikipedia.org/wiki/Linux_malware

[RU55EL]

[...] we're discussing here about a linux system, when there's is no possibility a malware/virus component being insalled or executed by itself as it hasn't got the admin account. [...]

If you believe that there is no possibility of malware or a virus obtaining root privileges, why are you asking the following question?

So, What dammages can they do with an outdated browser, if they can't install anything in it?? (phissing maybe??). I'd like to know as ive using an outdated browser for a whole year.. , and i intent to keep doing it for regular use but virtual bank operations

If you never lock the door to your house and have never had anything stolen from your house, does that mean that nobody can steal from your house?

[edit]

Carefully read the materials at the links Head_on_a_stick provided. I'm sorry if I've come across as harsh, but computer security is no laughing matter considering the information that many people have on their computers. Linux virus programs exist!

[/edit]

[Bulkley]

As always, it depends upon what you do with it. As you noted, you want good security when banking. Depending upon the sites visited there may be nasty little surprises waiting. Sites that specialize in vices (porn, gambling, sex, drugs) are simply not trustworthy to begin with so avoid them.

One of the best things about using Debian is that when I do apt-get install [package] what I receive is clean. Do something similar with Windows and the odds are that it will come loaded with all sorts of crap that can take weeks to find and get rid of. We once downloaded a Windows version of Firefox and it came pre-loaded with hidden commercial redirects.

[pcalvert]

I'd like to know as ive using an outdated browser for a whole year.. , and i intent to keep doing it for regular use

Which web browser, and WHY?

[GarryRicketson]

Just do a search :
What risks of an Outdated Internet Browser?
There are plenty of results.

[alan stone]

What risks of an Outdated Internet Browser?

An outdated feeling of online security.

[bester69]

Just do a search :
What risks of an Outdated Internet Browser?
There are plenty of results.

Those articles speaks about window viruses, worns, and malware. As you know linux systems doesnt allow propagation, and nothing can be installed without the
authorization and admin password, So that's why I was asking about it. In windows I can understand it, in Linux i still dont get it, I dont see how a security hole in the browser, could infect the own browser, or delete , or steal any home documents, cos to do those operations you need a running program that should run throught the own browser's services, and to do that the browser need to be rewritted its code, and i only see that happening as long as the browser is running in memory ram, once its reopened the bad code would be pushed away and cleanned back. But im just guessing and asking to figure it out

[bester69]

a linux system, when there's is no possibility a malware/virus component being insalled or executed by itself as it hasn't got the admin account

If you are using Debian with any display manger other than GDM then the X server itself is being run as root and any successful exploits in FF will be able to gain full root access to your system.
....
https://en.wikipedia.org/wiki/Linux_malware

I suppose, to get root access, would mean a kernel exploit accesed throught a security browser hole, wouldnt it?., nothing to be with the browser bug..

[HuangLao]

it is foolhardy to say the least to accept the myth that *nix is immune to malware/viruses etc... If the day ever comes when *nix users are a percentage worthy of such attacks then it will be prevalent indeed. Also, there are many rootkits, viruses etc... for *nix, if you use sudo, guess what that virus can find out easily what your "root" password is. Look at Ebury/Windigo and tell me that something as simple as ssh cannot be used as an exploit, or dare I say the Debian openSSL fiasco a few years back.

Your browser is your first line of defense (actually your router), if your browser is hosed, outdated etc... then you are walking around naked in the matrix telling everyone to take a pull for free. Banking is the least of your worries if you continue to use an old browser for anything other then liveCD trivial browsing, why do you think TOR updates their browser often etc....

***Wait a minute, are you not the same person that likes to herald the benefits of frankendebian and having the latest and greatest?

[bester69]

it is foolhardy to say the least to accept the myth that *nix is immune to malware/viruses etc... If the day ever comes when *nix users are a percentage worthy of such attacks then it will be prevalent indeed. Also, there are many rootkits, viruses etc... for *nix, if you use sudo, guess what that virus can find out easily what your "root" password is. Look at Ebury/Windigo and tell me that something as simple as ssh cannot be used as an exploit, or dare I say the Debian openSSL fiasco a few years back.

Your browser is your first line of defense (actually your router), if your browser is hosed, outdated etc... then you are walking around naked in the matrix telling everyone to take a pull for free. Banking is the least of your worries if you continue to use an old browser for anything other then liveCD trivial browsing, why do you think TOR updates their browser often etc....

***Wait a minute, are you not the same person that likes to herald the benefits of frankendebian and having the latest and greatest?

See,
Millons of users are using everyday oudated Android's Apps from litle trust sources and i dindnt heard anything bad happening to them. And they've their smartphone full of important documents and stuff and full of all kind of litle trusted apps. Most of them even has litle knowns about security risks,
So my feeling is all this paranoid about security is a so exagerated in a linux system, facts say otherwise, there's litle to be worried if you know more or less what you 're doing.
I think using an oudated browser for a regular use, and preventing bank operations with it, in linux should be ok; the browser code cant be altered, so once its reopened the worm, or whatever that might be exploiting the bug, would be pushed away, getting the code fresh and clean back.

Just think about the millons Android users, installing and uninstalling thousands of apps from litle trusted sources.. Its maddness if you compared with my case,

[stevepusser]

Similar to the risk of running a stop sign on a remote, little-used country road: https://www.youtube.com/watch?v=7Esrly_qWOc

End of the stream: https://www.youtube.com/watch?v=7Esrly_qWOc&t=8732s

[ruffwoof]

I get Bester's point. Security is a procedure not a package/product. Greater risks come from running a browser or other external/network program as root, or other doorways such as from installing browser add-ons, or opening email attachments.

Old browser with known exploit/breakout leaves a hacker sitting at user command level ... what damage could be done. Could steal or delete any of the users files/view emails etc. but if backed up and the content wasn't personal/sensitive that might be of little concern to a casual computer user. Greater concern about privilege escalation ... get access to root and be able to install ransomware or proliferate into other systems behind the same LAN, but most systems are designed to prevent such privilege escalation so by no means a easy choice, easier to attack other vectors such as via updates/addons or human error.

Similar (or lower) risk than having a laptop stolen. If there is limited damage that such a theft could achieve then running older browser is of even less concern?

For many users likely data is the more valuable. Systems are relatively easily/cheaply replaced. Data such a family pictures might be invaluable. Provided you're not particularly bothered about a stranger seeing those pictures or whatever and you have disconnected/offsite backup copies then you're relatively safe.

Computer security is big business and you hear much about potential exploits that are found (and plugged), but much much less so about actual exploits, at least at a single desktop user software breached level. The bigger targets are servers, or human error (getting individuals to disclose their banking details via a telephone call or via credit card skimming ...etc.).

Turn it around and perhaps its safer to use a pristine factory fresh operating system and brand new copy of a browser, booted and used to go directly to your banks web site, nowhere else before or after (shutdown afterwards) ... even though that operating system and browser might be 10+ years old (dated), is perhaps securer than using the latest patched up system, that has been used to browse here, there and everywhere before/after going to your banks website.

[RU55EL]

Millons of users are using everyday oudated Android's Apps from litle trust sources and i dindnt heard anything bad happening to them.

I will say it again!

If you never lock the door to your house and have never had anything stolen from your house, does that mean that nobody can steal from your house?

It is your choice to use an outdated browser, or leave your front door unlocked when you leave. But, don't claim that there is no security risk.

There are many vulnerabilities in any operating system. The way to keep them secure as possible is to fix the security bugs as soon as they are found.

If you are using an outdated browser, or other software, with known vulnerabilities, it makes it very easy for someone to exploit your system. If the vulnerability is known, someone with limited computer skills can look up how to use the exploit and use it. It is not rocket science. For example.

I did this years ago, to demonstrate to my employer the need to keep an operating system updated. Using nothing more than instructions and software from the Internet I was able to decrypt the password file and obtain everyones password using an unprivileged account. (My computer did have to run for a couple nights, and most of the password were not very good.) A month later, we had a brand new operating system installed. The method I used wouldn't work today, because operating systems have been updated to prevent it. Unless, of course, you are using outdated software.

[bester69]

My point, is
I dont think none in world is looking for a me to rapped me, isnt it?, I dont think none knows me, they dont know my ip, they dont know what its within my computer, and i dont think we both concur in same temporarily gap activity, language, or whatever... and given into my ip, and getting to listen and trying to operate me, when i can inmediatly close the browser or turn off the computer. I mean, to be rapped for someone, there must be a good reason for it. isn't it?? None with enought hacking knowledge was going to put such an efforts at sniffing trying to hacking me in anyway without knowing what is behind the router, there must be a known and good reason for it,i think you can get my point.. Perhaps if i were a knowed server bank, i could be worried to not being enought secured.

I see it really silly the critycal worry of having to update the browser in a linux system. It can't be infected in the code as we're talking about linux persmissions , to practical effects, the app is behaving as it was a hardware device or an old Livecd. And we dont put to update router's firmware everyday, dont we?. Its secure by itself in the same way as any linux apps, as long as they can't hack the user, they cant operate. I dont see it..Its similar to being infected by a virus. I think we've more chances to see The Loch Ness Monster that being hacked.. its just my feeling.. but somene said so about linux viruses, they exists, but none has never seen them, and none knows someone that has ever seen them.. i read that recently in a linux article .

The only risk i see here with outdated browsers, might be with an infected addon ..supposing that's even possible (by exploiting a vulenerability browser's hole in remote and behing router).