Linux distros aren’t updating WebKit, making web browsers and email clients vulnerable - vegaejew1984

The WebKit rendering engine used in many another Linux applications is a complete security lot. That's the takeaway from a blog post by Michael Catanzaro, who whole caboodle connected Dwarf's WebKitGTK+ project. He's sounding the alarm roughly a problem the open-seed community needs to fix.

The problem with WebKit

Most web browsers issue regular security updates to their users. But, if you're using a WebKit-founded web browser, or email client, or some former application that uses that rendering engine, connected Linux, you almost surely aren't getting security updates.

WebKit is a large open-source project. Apple uses WebKit for Campaign happening Mac and iOS, and those versions of WebKit receive regular security department updates. But the WebKit port used for Linux does non.

The common port wine utilized by Linux distros is WebKitGTK+, which is associated with GNOME software system and other applications that use the GTK+ toolkit. This includes Epiphany, GNOME's flagship vane web browser, oft called simply "Net" or "GNOME Web." IT also includes a variety of other applications, such American Samoa the Organic evolution email guest, Midori web web browser, GIMP image-editing course of study, Banshee and Rhythmbox media players, and umteen other programs.

Historically, WebKitGTK+ hasn't had security updates. Updates were discharged with security fixes, but the project didn't provide CVE numbers, so Linux distributions didn't issue them arsenic updates. The project did release a security consultative list over 130 fixed issues at the end of December, all the same. That was over a month ago, and only Felt hat has made changes to accommodate these updates. Worsened, even if these updates were trilled out on a frequent footing, some applications still swear on older versions of WebKit that no longer encounter some updates at all, including security updates.

This isn't just a GNOME problem. The KDE project is moving away from WebKit and towards the Chromium-founded QtWebEngine. But many applications still rely on a WebKit port titled QtWebKit, which is now years out of date. Applications like the KMail email client, Rekonq browser, KTorrent BitTorrent client, Amarok media musician, and others use this familiar version of WebKit, which contains numerous security holes.

This isn't flatbottomed just a Linux trouble. Any PC game or other Windows coating that ships with an embedded interpretation of WebKit likely has a huge number of unpatched security holes in its embedded web web browser, too.

This is a big topic. To actually sympathize the details, learn Michael Catanzaro's chockful blog post.

Ubuntu includes Firefox and Thunderbird, and that's probably for the best.

Mozilla's Gecko and Google's Winkle coiffure get updates

To stay the right way stormproof when web browsing on Linux, you should head off web browsers founded on WebKit. Web browsers settled on Mozilla Firefox and Google's Cr plan do receive timely security updates, and they should be your run short-to options. Debian officially advises using a Firefox or Cr-supported browser for this reason.

The Mozilla Firefox net web browser that some Linux distributions use is good, although it may atomic number 4 called by a different gens. Connected Debian, for example, information technology's called Iceweasel. These browsers are based happening Mozilla's Gecko locomotive engine.

Much Linux distributions provide Chromium, the open-source rendering of Google's Chrome. It likewise receives security department updates. You tail end also install Google Chrome directly from Google, and Google will provide its own security updates for you. These browsers use Google's Blink engine.

Try to persist away from electronic mail clients that trust on WebKit, too. You could use web-supported email, or try the desktop-settled Mozilla Thunderbird. Like Firefox, it's based on Mozilla's Gecko engine. Thunderbird isn't receiving new features, but information technology is receiving security updates.

If you do want to use WebKit-based applications, you should use a Linux statistical distribution that regularly ships updated versions of WebKitGTK+ soon after they're free. According to the web log post, this is currently only if Felt hat and Arch, although the testing versions of Debian, OpenSUSE, and Gentoo are also updated. Even if you use these Linux distributions, the applications themselves that rely on older ports of WebKit will still be vulnerable.

Source: https://www.pcworld.com/article/419637/linux-distros-arent-updating-webkit-making-web-browsers-and-email-clients-vulnerable.html

Posted by: vegaejew1984.blogspot.com

Share this post