mike acker wrote:our biggest concern is a "drive by" from an infected web site . infected web sites contain un-imaginable garbage..... a bad flash object would be the most likey means of getting some sort of code to call this ABI service... i wonder how high the risk is.......
I've been reading some more on X32 ABI today and I think the risk on your browser is negligible. For a browser to use X32 ABI, it would have had to been compiled to use the X32 version of system libraries (else there is no X32 ABI
). Those libraries aren't installed on Linux Mint 16. You can check with following command (no result = not installed):
You can also check whether your browser (or another program) has been compiled to use X32 ABI. You can do that with the ldd command and checking the output for reference to any X32 version of system libraries. For example for Firefox with this command (no result = Firefox wasn't compiled to use X32 ABI):
Code: Select all
ldd /usr/lib/firefox/firefox | egrep 'libx32|-x32'
This command is a bit tricky and you need to be sure to run it on the binary for the program you're checking. For example the command in your menu for Firefox points to a symbolic link, which goes to a shell script, that does the actual loading of the binary that you'd need to check (as per above command, that's the right one to check). So it can be a bit of a puzzle which file to check.
To my understanding the risk is in downloading a Linux program that was specially crafted to exploit the privilege escalation weakness that is in the X32 ABI in certain kernels. Like detailed above, some kernels don't have X32 ABI enabled and those aren't susceptible. I'm not a security expert, but I doubt things like Flash and JavaScript can exploit this bug in the X32 ABI.