Zero-Days Hitting Fedora and Ubuntu Open Desktops To a World of Hurt

An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."

Re:This is great work.

The users expecting the system to "do everything automatically" is no different than Windows of yore running AUTORUN.INF whenever you inserted a removable medium. If there is no pushback on that front there won't be a secure system, eve]

It's called "usability"; having computers do useful things for us automatically is what makes them so useful. Next you'll be saying web browsers shouldn't display images automatically, because it's a potential security risk. Which would be ridiculous; it's useful to automatically display images in web browsers, and it's useful to automatically index media files. It shouldn't be beyond the wit of man to do so in a secure manner.

Re:Web browser virtualization

[AlphaBro]

actually it's the only way to be fully protected against local root (kernel/system daemons) vulnerabilities, keyloggers, data theft, etc.

I'm not entirely sure about the scope of what you're claiming here, but know that virtual machine escapes aren't uncommon. I'm not saying that virtualizing the browser is a bad idea (defense in depth and all that), but it won't get you perfect security. Also, in some cases, it's possible to attack the host OS without leaving the VM. Then there's the sensitive information within the VM (user credentials, session cookies, etc.), which doesn't require an escape.

Re:This is great work.

> It's called "usability"; having computers do useful things for us automatically is what makes them so useful

All generalizations suck.

You are falling into the trap "doing things automatically is a good thing" == "doing everything automatically is a good thing".

As always, it's a matter of judgement; there isn't a clear bright line and the (muddy) line shifts and moves as exploits evolve.

Extreme examples (the autorun one) help having a clearer vision. My point is that taking away decision points from the user *before she's even aware of them* (the Downloads example in Chrome) helps in reducing overall security.

But if you feel comfortable in your trap, just stay there!