Malware Threat To GNOME and KDE

commandlinegamer writes "foobar posted on his blog recently about 'How to write a Linux virus in 5 easy steps,' detailing potential malware infection risks in the .desktop file format used by GNOME and KDE. This is not a new threat, and it appears to still be a risk, as discussions in 2006 did not seem to come to any firm conclusion on how to deal with the problem." There's a followup on LWN.

Solution

[Spazztastic]

Use Linux... wait, shit. We need a new answer, guys.

Re:Solution

[zappepcs]

The answer is the same one that has been valid for .. well, since the advent of computers. There will always be vulnerabilities. The best you can do is be aware, vigilant, and choose software that has less vulnerabilities and whose writers work hardest to correct the problems fastest. Arguments can be made for or against Linux based on those criteria but it remains a very strong choice over Windows or Apple. The more popular Linux becomes on the desktop, the more chances there will be vulnerabilities. Now is the time for F/OSS coders to start working extra to ensure there are as few as possible.

If you write code, you know that you've left open areas where an exception will cause a problem for any number of reasons. it happens. period. So far, GNU/Linux has cleaned up quickly and well on most things. The struggle continues. That is the answer.

Re:Solution

[Lumpy]

Have a brain when using the PC.

It works for all operating systems. Viruses and Trojans require the user to not think and execute things willy-nilly. Having a brain reduces the infection vectors drastically.

Every "expert" I have met that has been infected was downloading and using warez unsafely. Every regular use I have met that was infected simply clicked yes to every dialog box they did not want to bother reading and understanding.

The OS does not matter, having educated and competent users does. Have to add that competent, I have seen educated users go and click on crap without reading or thinking.. It requires competence.

Re:Solution

[Ed+Avis]

Have a brain when using the PC.

This has very little to do with user stupidity. Indeed, users should not execute things willy-nilly, but it's surely okay to open a file and look at its contents? If you think that is inherently unsafe then users must be prohibited from receiving email attachments (or downloading from web pages) altogether.

In this case there are no warning dialogues to click through, no unusual steps. All that happens is you save a file and then double-click to open it. There is no way to see in advance that the file is unsafe, and it can adopt any icon and name it wishes, so in the user interface it is *indistinguishable* from a legitimate desktop icon such as the trash can.

It gets a laugh on Slashdot to castigate 'stupid' users, but if the system does not provide users with the information needed to make an informed choice, then the system is at fault.

Virus?

[Carewolf]

It relies on the user downloading saving and running a shell-script. The only trick here is that in this KDE/GNOME form the user does not need explicitly to add execution rights on the file.
Still hardly a virus, more like a gun without a safety switch. It is one step easier for someone to shoot themselves this way.

Interestingly if we wish to reinforce the 'chmod +x' scheme, desktop files should need a +x (or some other non-MIME property) to be treated specially by GNOME and KDE. Might be an idea.

Re:Protect your self with encryption

[JesseMcDonald]

Why do shortcuts need to have the ability to run code?

The shortcut only contains parameters for the path to the application and a list of parameters; it doesn't run any code itself. The problem is that the application can be (e.g.) /usr/bin/perl, and the parameters "-e 'perl code here'". Removing this ability would seriously impact the usefulness of the shortcuts.

The real issue is that the DEs are blindly trusting a non-executable file of unknown source to provide this information. The solution has already been suggested: turn all .desktop files into scripts (via a #! line, which is already valid comment syntax), mark them as executable, and have the DE run them like any other executable file. Non-executable .desktop files which link to applications would be displayed as usual, but would be treated as documents rather than launchers.

Great news

[AlHunt]

So we have a long-known, unaddressed vulnerability and easily accessible instructions on writing a Linux virus.

Does this mean Linux is finally "ready for the desktop"?

Re:Great news

No, it means malware is finally ready for the .desktop

You are wrong

[SmallFurryCreature]

I am dealing with a user at the moment who just isn't that bright. It is not that she is a moron, she just doesn't think. Somethings she does right, she gets her wallpapers through googles image search and uses firefox after my suggestion.

But she also wants animated cursors and finds them and happily installes them. Cursor Mania.

She just doesn't get, yet, that the internet has two kinds of free and that the more something shouts it is free the less likely it is. How do you explain that firefox is free and safe but cursormania is free and not safe?

The problem is not so much that some people are stupid but that they lack a healthy dose of cynasism, they forget to question things. And that is pretty to stupid.

The system can't protect against this unless you want to life in the nanny state. Women are free to go with convicted wife-beaters unless you want the state to decide your partner for you. People can install spyware unless you want the system to decide what you can install.

For some reason people like you want software to do things you would NEVER accept in hardware. Would you really want a powerdrill that constantly checked wether you where drilling in the factory approved substances, at the right angled, under the right conditions? A screwdriver that refuses to be used as a hammer?

At some point users must accept a responsibilty to operate their equipment responsible themselves and accept that if they make mistakes, they are the ones to blaim.

You know what my solution has been to fix 99% of friends requests to fix their windows PC? Re-install. Whipe the crap and sooner or later they either figure out that "mmm once I downloaded those free smiley's my computer starts to act like a piece of crap, maybe these two things are connected" or at least find someone else to help with their crap PC's.

Lets face it, after 30 years I have started to realise that no amount of suggestion is ever going to result in girls actually giving any of the sexual favors they seem to promise when they ask you to fix their laptop.

Re:You are wrong

[Ed+Avis]

What you say is all true but it's not relevant to this particular problem, which is that *all* users, even sensible and cautious ones, can be easily tricked into running an executable because the user interface makes it look exactly like an ordinary file. You or I would also be vulnerable.

And BTW, I suggest you kiss her first, and fix the laptop afterwards.

Re:Did you even RTFA?

[styryx]

You are right and I am wrong.

W...w...wh....what the fuck just happened?! Am I on the internet still?