mhbell Posted May 26, 2017 Share Posted May 26, 2017 (edited) Linux's X.org server is vulnerable. Here's how to stay safe. From Tech Republic. http://www.techrepub...ate-from-x-org/ Edited May 26, 2017 by mhbell Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 26, 2017 Share Posted May 26, 2017 This is just click bait. Of course any type of software that interacts with an application could potentially have a keylogger. That is why security researchers look at software and their capabilities. Notice that there is not a single source on the article. This is just FUD tactics to get you to move to Wayland. I googled Xorg keylogger and nothing relevant came back in the results. Wayland could just as easily have one as well. I am surprised at TechRepublic.... 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 26, 2017 Share Posted May 26, 2017 No whitepaper, no study and no evidence. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 26, 2017 Share Posted May 26, 2017 Do not get me wrong there are vulnerabilities with Xorg but this is not one of them and the ones Xorg has are not being actively exploited. Most require the system to already have been compromised. 1 Quote Link to comment Share on other sites More sharing options...
mhbell Posted May 26, 2017 Author Share Posted May 26, 2017 Do not get me wrong there are vulnerabilities with Xorg but this is not one of them and the ones Xorg has are not being actively exploited. Most require the system to already have been compromised. Hmmm I wonder why Most Ubuntu Server developers do not recommend installing X on a server. There are multiple reasons for not installing a GUI. http://askubuntu.com/questions/101829/ddg#159607 and another link from xorg https://www.x.org/wiki/Development/Security/ This page details security issues that have been found in X.Org, and their remedies. Please contact the X.Org security team at xorg-security@lists.x.org to report security issues in the X.Org codebase. While the advisories are listed below by the most recent release they affect, most affect older releases as well, in many cases going back to the introduction of the affected functionality. See the Security Checklist for the list of things to go from a bug report to a released advisory. and the list goes on and on. I don't think that it is Click Bait as you say. Mel Quote Link to comment Share on other sites More sharing options...
raymac46 Posted May 26, 2017 Share Posted May 26, 2017 (edited) If this issue bothers you you can start using Wayland right now. it's the default in Fedora and if you have Debian Stretch with the GNOME desktop it's an option. I suspect the next Debian release (Buster) will go with Wayland as the default and X as a fallback. Edited May 26, 2017 by raymac46 Quote Link to comment Share on other sites More sharing options...
mhbell Posted May 26, 2017 Author Share Posted May 26, 2017 If this issue bothers you you can start using Wayland right now. it's the default in Fedora and if you have Debian Stretch with the GNOME desktop it's an option. I suspect the next Debian release (Buster) will go with Wayland as the default and X as a fallback. It doesn't bother me. and BTW I do run Fedora as MY second Linux Distro and Linux Mint as my primary. I only pointed out that there are several vulnerabilties in Xorg Server. Well documented too. To make a statement that it is .This is just click bait. Of course any type of software that interacts with an application could potentially have a keylogger. That is why security researchers look at software and their capabilities. Notice that there is not a single source on the article. This is just FUD tactics to get you to move to Wayland. I googled Xorg keylogger and nothing relevant came back in the results. Wayland could just as easily have one as well. I am surprised at TechRepublic.... IMHO is irresponsible in light of all the security problems with all software now days. Mel Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 26, 2017 Share Posted May 26, 2017 Do not get me wrong there are vulnerabilities with Xorg but this is not one of them and the ones Xorg has are not being actively exploited. Most require the system to already have been compromised. Hmmm I wonder why Most Ubuntu Server developers do not recommend installing X on a server. There are multiple reasons for not installing a GUI.http://askubuntu.com...1829/ddg#159607 and another link from xorg https://www.x.org/wi...pment/Security/ This page details security issues that have been found in X.Org, and their remedies. Please contact the X.Org security team at xorg-security@lists.x.org to report security issues in the X.Org codebase. While the advisories are listed below by the most recent release they affect, most affect older releases as well, in many cases going back to the introduction of the affected functionality. See the Security Checklist for the list of things to go from a bug report to a released advisory. and the list goes on and on. I don't think that it is Click Bait as you say. Mel Well the thing is that there are vulnerabilities with Xorg but they are claiming that it can be used as a keylogger. Read the first comment on your link Mel (as well as the others). Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 26, 2017 Share Posted May 26, 2017 Anything major that has come up, has been fixed right away. This is open source and we patch things when there are issues. Things will come up but they get fixed in a timely matter. The same will apply to Wayland when it gets popular enough to find bugs. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 26, 2017 Share Posted May 26, 2017 If this issue bothers you you can start using Wayland right now. it's the default in Fedora and if you have Debian Stretch with the GNOME desktop it's an option. I suspect the next Debian release (Buster) will go with Wayland as the default and X as a fallback. It doesn't bother me. and BTW I do run Fedora as MY second Linux Distro and Linux Mint as my primary. I only pointed out that there are several vulnerabilties in Xorg Server. Well documented too. To make a statement that it is .This is just click bait. Of course any type of software that interacts with an application could potentially have a keylogger. That is why security researchers look at software and their capabilities. Notice that there is not a single source on the article. This is just FUD tactics to get you to move to Wayland. I googled Xorg keylogger and nothing relevant came back in the results. Wayland could just as easily have one as well. I am surprised at TechRepublic.... IMHO is irresponsible in light of all the security problems with all software now days. Mel IMO, irresponsible is making a claim, true or false without a single source. We are living in the days of fake news so we see outrageous claims daily. I think that it is useless to even report on something without a source backing up your claim. I thought that this was always the case with journalism. I know there are proof of concept vulnerabilities for Xorg but none of them are actively exploited. Anything serious gets patched just like any other major open source project. I couldn't imagine a world where something like Xorg was maintained with a known unpatched vulnerability that hasn't been fixed. I mean this is Open Source. There have been vulnerabilities but most have some sources to show how it was exploited and that it was tested and such. 1 Quote Link to comment Share on other sites More sharing options...
raymac46 Posted May 26, 2017 Share Posted May 26, 2017 X is very old and has many features that were useful in 1985 but not needed or obsolete today. I don't think it's used in servers that regularly contact the Internet but why would you have a GUI on a server anyway? X is a server but not in the same sense as a LAMP stack. I do not feel insecure with X on a workstation behind a router and firewall and used with intelligent security practice. Wayland will likely be more secure because it doesn't try to do as much, and is a relatively modern piece of software. But Wayland is replacing X for many reasons beyond security. 1 Quote Link to comment Share on other sites More sharing options...
securitybreach Posted May 26, 2017 Share Posted May 26, 2017 X is very old and has many features that were useful in 1985 but not needed or obsolete today. I don't think it's used in servers that regularly contact the Internet but why would you have a GUI on a server anyway? X is a server but not in the same sense as a LAMP stack. I do not feel insecure with X on a workstation behind a router and firewall and used with intelligent security practice. Wayland will likely be more secure because it doesn't try to do as much, and is a relatively modern piece of software. But Wayland is replacing X for many reasons beyond security. ^^^^^ Exactly Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.