On 12/19/2016 06:26 PM, Patrick Schleizer wrote:
What about Debian graphical installer security?
Isn't that in meanwhile the ideal target for exploitation for targeted
attacks? Because it will take a while until the Debian point release
with fixed apt.
And during the gui installer, the output of apt-get is not visible. And
stuff during installer taking a long time is something users have been
trained to expect. So I don't think it would raise much suspicion. If
exploitation works, fine, if not, nothing was lost.
Also Debian gui installer may be distinguishable over the network from
already installed systems? Because first it's using debootstrap (perhaps
with special options), then apt-get. The timing or something else could
make it distinguishable over the network.
Best regards,
Patrick
Probably so. But an attacker can be opportunistic--try and maybe
fail/succeed--whether or not the user is installing or merely updating.
The only solid solution to this issue is to alert users out-of-band, and
have them also obtain *new media out-of-band* so they can re-install. In
our case on Qubes, dom0 updates can fill the need for obtaining new
media. But going forward, the best practice would include issuing new
ISOs as well, since users installing Debian alongside Qubes will perform
normal updates as a matter of course--they may review new CVEs or QSBs
but not from several months prior.
BTW, I think Debian's idea expecting users to validate detailed metadata
with their eyeballs is crazy.
Chris
