Pipe 2Y8 Lack of GUI Isolation as Linux security flaw

Lack of GUI Isolation as Linux security flaw

by
in security on (#2Y8)
Here's a little something to sour your morning coffee with the acid taste of anxiety: an interesting piece by Joanna Rutkowska pointing out what she claims is an inherent security flaw in the X Window GUI model :
... Start another terminal window, and switch to root (e.g. using su, or sudo). Notice how the xinput running as user is able to sniff all your keystrokes, including root password (for su), and then all the keystrokes you enter in your root session. Start some GUI app as root, or as different user, again notice how your xinput can sniff all the keystrokes you enter to this other app!

I never knew this and am not aware of much discussion going on about the issue. Is this a fundamental flaw that Windows Vista addresses more successfully, as the author claims, or has the time truly come to do away with the X Window model and develop something else?

History

2014-04-18 12:01
Lack of GUI Isolation as Linux security flaw
zafiro17@pipedot.org
Here's a little something to sour your morning coffee with the acid taste of anxiety: an interesting piece by Joanna Rutkowska pointing out what she claims is an inherent security flaw in the X Window GUI model :
... Start another terminal window, and switch to root (e.g. using su, or sudo). Notice how the xinput running as user is able to sniff all your keystrokes, including root password (for su), and then all the keystrokes you enter in your root session. Start some GUI app as root, or as different user, again notice how your xinput can sniff all the keystrokes you enter to this other app!

I never knew this and am not aware of much discussion going on about the issue. Is this a fundamental flaw that Windows Vista addresses more successfully, as the author claims, or has the time truly come to do away with the X Window model and develop something else? Did the UNIX-Haters Handbook get this one right?
Reply 0 comments