On Friday 26 August 2016 11:04:04 Perry E. Metzger wrote: > According to: > > https://security-tracker.debian.org/tracker/CVE-2016-5696 > > Wheezy and Jessie are still vulnerable. The attack in question is > kind of bad (it allows blind injection of arbitrary data into > things like http downloads) and has been known for a few weeks now to > the general public.
I don't think the issue is that bad. It allows an attacker to find out if you are connected to a particular web site and makes it easier to interrupt the transfer by sending a RST or SYN packet or inject junk data to corrupt the flow. It's simple denial of service. But to achieve that, you must be downloading something from a web site the attacker is actually targeting. The attacker must know you are doing so or find out by sheer luck. The download must be long enough (more than one minute) for the attacker to discover the set of parameters that will make the attack successful. That's unlikely to succeed on a massive scale if you ask me! Beside, the attacker can't possibly know what you are downloading and how much data has already been downloaded. There is no way he can inject anything useful into the downloaded data. You would end up with a corrupted file in the worst case. A worm can't propagate that way. Frederic
