True, but that refers to the *specific* exploit they tested. I'm sure you
know better than to think that malware can never infect a GNU-Linux system.
Getting a user to open an untrusted file from a random website, when the file
type is one that is a *known vector for malware* on at least one OS, seems to
me like exactly the sort of social engineering attack that could be used to
overcome the baked-in security of GNU-Linux.
This is especially the case when opening that file requires the user to
install a non-default piece of software like xchm, a GUI layer developed by
one person on SourceForge (known to be a source of untrustworthy binaries),
for a library (CHMLib) developed by one person, that hasn't been worked on
since 2009!
https://github.com/jedwing/CHMLib
Chances are neither of these programs has been security tested with Ubuntu
14.04, let alone with Trisquel specifically, nor the code put through a
security audit. I might as well just put out a welcome mat outside my front
door with my root passphrase printed on it, take a photo, and post it on
4Chan with my current IP address.
