does firefox under ubuntu has something similar to activeX, in terms of security vulnerability?
‘ActiveX’ can be considered in two parts, the object model and the installation method. Firefox has something similar—and cross-platform compatible, Ubuntu or other—for both.
The object model of ActiveX is Microsoft COM; Firefox's equivalent is XPCOM. Many other Windows features and applications that are nothing to do with web browsing use MS COM, and there have traditionally been endless problems where COM controls that were not written for secure web usage were nonetheless available to web pages. This caused many compromises. Firefox is better off here as XPCOM is not shared with the rest of the system. Newer versions of IE have better controls for mitigating what sites are allowed to use what controls.
(As a side-issue, because many add-ons for Firefox are themselves written in JavaScript, a high-level scripting language, they are often more secure from buffer overflow and string handling errors than extensions for IE which are commonly written in C[++].)
The control-downloader part of ActiveX has also been cleaned up a bit since the bad old days when anything in the My Computer zone could install any software it liked, and aggressive loader scripts could trap you in an alert loop until you agreed to approve the ActiveX prompt. Firefox's equivalent, XPInstall, behaves largely similarly, with the ‘information bar’ on all but Mozilla's sites by default and a suitable warning/prompt before installation.
There is another built-in way you can compromise yourself in Mozilla: signed scripts. I have never seen this actually used, and certainly there'll be another warning window appear before a script gains extra rights, but it kind of worries me that this is available to web pages at all.
for example an exploit through flash will gain access to my pc under my user rights
Yes, the majority of web exploits today occur in plugins. Adobe Reader, Java(*) and QuickTime are the most popular/vulnerable. IMO: get rid of those, and use FlashBlock to only show Flash when you want it.
(*: and Java's dialogues before it lets you give up all security to some untrusted applet is a bit bare too.)
Ubuntu gives you some questionable plugins by default, in particular a media player plugin that will make every vulnerability in any of your media codecs exploitable through the web (similar to the Windows Media Player plugin, only potentially with many more formats). Whilst I have yet to meet an exploit targeting Linux like this, that's really only security through obscurity.
Note that ActiveX itself is no different. A web browser compromise based on ActiveX still only gives user-level access; it's only because prior to Vista everyone habitually ran everything as Administrator that this escalated to a full-on rooting.
and then follow to exploit some known vulnerability in X to gain root rights. that is not "easy".
Maybe, maybe not. But I think you'll find the damage some malware can do from even a normal user account is quite bad enough. Copy all your personal data, observe your keypresses, delete all your documents...
I've been looking at this from the perspective of adding support for this in some GNOME Do plugins. gnome-online-accounts is basically a single-sign-on API. It provides a way for applications to get an authentication cookie for the configured online accounts. It does not provide anything else; it's up to the application to know how to use that cookie to talk to the online service.
As such, it's entirely dependent on the applications to (a) query gnome-online-accounts for configured online services, and (b) actually know how to interact with those online services.
You can think of it as basically gnome-keyring for your online services. It has been integrated into Ubuntu 11.10, in so much as the GNOME apps which support g-o-a will use it; there just aren't many apps that use it yet ☺.
Best Answer
Short answer: You can probably trust g-o-a if you use Twitter, Facebook and Google-accounts and you're faced with a login-page that looks native to those services (e.g. a facebook-styleish login box instead of a GNOME-styleish one). Edit: However, always assume your accounts are compromised. g-o-a might not be the weakest link, but the more links you've got on a chain, the more likely it is that one of it is going to be weak. Always treat your data carefully.
Long answer: Depending on what service you use it either uses a "token authentication" (see http://en.wikipedia.org/wiki/OAuth ) or clear text passwords. The worst case scenario for e.g. Twitter is that someone sends spam with your account, but they won't have access to sensitive data (however, if you store passwords in Chrome/Firefox - that's an entierly different matter) and the "hackers" cannot steal your password or change it. You can just go onto the security settings (on Twitter) and then delete the OAuth-token for your g-o-a.
This is different for different services. On Google (and Facebook), you can specify app-specific passwords if you're worried about your privacy. If these passwords are stolen, you can just delete them.
At the end of the day, exploiting g-o-a might not be that valuable unless you're actually targeting a specific person you know runs GNOME, since most people (I dare to say) stores their passwords in Firefox/IE/Chrome, which both should be less secure and more common - like telling a child not to steal candy from an open candy jar and then go away shopping for an hour.
If you're worried about g-o-a, you should always reset your browsing history (and cookies etc.) in your browser when closing the browser and not running any unofficial Facebook apps etc.