What would happen if ie there is a 0 day exploit in VLC and i open an infected file, or if i watch a stream which is exploting a flash vulnerabilty , or a script on a site that is malicious. I once read that i all those cases named the attacker or the malware could contiue with root priveleges and ie install a keylogger and from there own the victim completley.
The first prevention method is to install EMET 5.2 and, right after installation, select the "Recommended Settings", because it automatically creates profiles for the most commongly exploited programs such as Adobe Reader, Java, Word, etc. After that you can select Maximum Security, but that might have implications on older programs like GTA III or GTA Vice City, for example, so you might want to set DEP for "Application Opt-Out" instead of living it always on. Then, I'd do some research to see if VLC actually uses Flash for streams. But I don't think it does.
Oh, my bad! I didn't see this was the Unix forum heehehe. Well, EMET doesn't work on Linux. It's for Windows only. I think you can get the same functionality on Linux with SELinux or AppArmor.
This is your answer. Assuming you have 64bit Ubuntu, these are some instructions you can follow: $ mkdir Firejail 0.9.26 $ cd Firejail* $ wget -O firejail.deb http://sourceforge.net/projects/firejail/files/firejail/firejail_0.9.26_1_amd64.deb/download && wget -O firejail.asc http://sourceforge.net/projects/firejail/files/firejail/firejail-0.9.26.asc/download $ sha256sum firejail.deb #verify this with the SHA value in firejail.asc file $ sudo dpkg -i *.deb Start VLC with the following command $ firejail vlc # start with firejail --debug vlc to see what are things being disabled/blocked or you can start with firejail --private vlc to discard any changes that have been made to the system when you close vlc
To the OP: If the attacker wants root access, the quickest way would probably be to log your keystrokes next time you use sudo. Thats actually quite easy to do on Linux, from a limited account. Keep in mind though that most of what a hypothetical attacker would want is in your user account - and, more specifically, in your browser profile. They have access to your browser, they already have everything they need. There are a number of things you can do to reduce the risk - ad blocking, JS blocking, GrSec kernel. The first two are always worthwhile IMO. Not sure about the last though.
I understand that the OP was asking about securing VLC. UnknownK's advice is good: There is already a ready-to-use VLC profile in Firejail which drops all capabilities and provides a seccomp-bpf filter. And it's easy to blacklist any additional folders/files in your home if necessary.
@summerheat Ahh, whoops. For some reason it didn't click that this was for VLC, not browser attacks. For that, yeah, AppArmor makes sense.
