Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities

Slashdot reader KiloByte warned us about new exploit for .MSI files named "bad taste". Neowin reports: A now-patched vulnerability in the "GNOME Files" file manager was recently discovered which allowed hackers to create dodgy MSI files which would run malicious VBScript code on Linux... Once Nils Dagsson Moskopp discovered the bug, he reported it to the Debian Project which fixed it very rapidly. The GNOME Project also patched the gnome-exe-thumbnailer file which is responsible for parsing MSI and EXE files inside the GNOME Files app... If you run a Linux distribution with the GNOME desktop it's advisable to run the update manager and check for updates as soon as possible before you become affected by this critical vulnerability.

"Bad taste"

Well! That certainly explains systemd!

WTF?

Who infected the festering heap that is Gnome to run VBscript?

Re:WTF?

[arglebargle_xiv]

Oh for fsck's sake, we're now virus-compatible with Windows?

Requires WINE?

[HalAtWork]

How exactly does the VBScript execute on a default Linux distro? Can anything other than VBScript get injected?

Re:Requires WINE?

[Nutria]

Not just Wine, but also Winetricks.

From http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html/:

If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.

Re:Requires WINE?

[KiloByte]

Nope, Wine itself is enough, at least on installations which I looked at.

In the other hand, the exe thumbnailer is not an official Gnome project but comes from Ubuntu -- so with all of Gnome's insanities, this one is not their fault.

Re:Requires WINE?

the exe thumbnailer is not an official Gnome project but comes from Ubuntu

There ya go! Another reason to stay away from Africanized Linux!

Re:Requires WINE?

While the first link in the summary is useless, the second link contains all the detail you want.
The Gnome thumbnailer for .msi files tries to extract the version number from the .msi file by asking a WindowsInstaller.Installer object to parse the .msi file and get the version property. This seems like the sensible thing to do. In general it's better to use pre-existing, tested code than to write your own. In any case, this issue isn't caused by a problem in the WindowsInstaller.Installer class.
The problem is that the code that calls that library is implemented as a shell script calling a VBScript calling the required methods. And the programmer ran into a bug in Wine (#19799) that causes cscript to crash if you call WScript.Arguments(0). So instead of passing the name of the .msi file to the VBScript, it writes the name into the VBScript. And because shell script syntax leaves people permanently confused about when things are and aren't escaped, the programmer forgot to escape the file name.
So when the VBScript reaches the statement Set DB = WI.OpenDatabase("[file name]",0) where the file name was poc.msi",0):[malicious VBScript code]'.msi then the malicious VBScript code gets executed.
I think there are a few lessons to be learnt.
1) Don't use shell script for regular application programming. Its syntax is confusing, there are no compile-time checks, and the most common class of shell script problems, over- or under-escaping, is notorious for creating security vulnerabilities.
2) Don't use too many levels of indirection, especially if the indirection is complicated. Every level increases the possibility of bugs. I don't know if it's possible to instantiate Win32 classes (using Wine) from regular Linux code, but if it the thumbnailer had used the WindowsInstaller.Installer class directly, this wouldn't have happened.
3) Don't generate code. It's too easy to accidentally generate code that does something horrible.
4) A bug can be a security vulnerability not because of the direct effects of the bug itself, but because it causes programmers who have to work around it to mess up.
5) If working around bugs and deficiencies make you have to implement a feature in a particularly convoluted way, it might be better to just not do it and scrap the feature you're trying to implement.

Re:Requires WINE?

I would have thought it needs vbscript.dll, but maybe not. The story talks about an MSI. An MSI is a Windows Installer setup file. It allows for numerous types of "custom actions", which is just official terminology for embedded EXEs, javascript files, VBScript files or DLLs. An MSI is run by msi.dll on Windows but it sounds like that functionality has been mimicked on Linux, without msi.dll.

In other words, an MSI can be a package of assorted executables, which is common with complex, swanky setups made by large companies. The problem is not VBScript per se. The problem seems to be in not anticipating the functionality of an MSI.

Re:Requires WINE?

[alvarogmj]

It's a shame you posted this as an AC, because most people won't see it by default.

I fully agree with the 5 points you mentioned, and I write this as somebody who has written his share of hundred-lines-long shell scripts. Point 5 is the first thing I thought when I read the description of the problem: "why the hell are you trying to parse an MSI just to show an icon, while in Linux? what is the benefit of doing it?".

Another idea is: did this code pass a code review? I know this is open source and people works in what they like, when they feel like it, but for a project as big as gnome, I would expect code reviews to be a part of the process. Somebody should have seen the commit which "solved" the problem and said something like "this is not acceptable, let's put this minor feature in the backlog and solve it once it is possible to do it in a sane way".

This is a bug which should dissapoint every developer in the project, because it feels amateurish, it doesn't feel like something that should happen in one of the biggest, most successful open source software projects.

So it has begun

Linux has become such a shit security wise, it's now vulnerable even to Windows viruses.

Re: So it has begun

2017 is truly the year of windows desktop viruses on linux

Mission Accomplished!

[nt2ldap]

Looks like the Gnome Project has finally arrived: after years of bending and twisting to get Windows-like behavior out of the Linux desktop (you know, the "sad face" screen that appears when it crashes, oh wait... that would be MacOS!), they've finally done one better -- made Linux vulnerable to Windows malware. This time the trade off was decorations for security. Having already banned smb from our networks, we thought we were safe. Maybe it's time to look for a new DE. I think twm is still in the Fedora repo...

Re:Mission Accomplished!

I think twm is still in the Fedora repo...

Fedora - that's your problem, right there.

Re:Mission Accomplished!

The bug in question looks like it was Ubuntu-specific though. Fedora unaffected. Hrm.

Miss having MS vulnerabilities? RUN WINE

Hope all the idiots who run WINE on bare metal realise they've increased their attack surface by about 10 orders of magnitude.

If you have WINE your attack surface has moved into higher dimensions.

What the heck?

[93+Escort+Wagon]

Admittedly it's been over a decade since I used a desktop version of Linux, but - is the ability to run VBScript part of the default Gnome installation nowadays? And, if so... what idiot (or group of idiots) decided that was a good idea?

Re: What the heck?

[Zero__Kelvin]

No. It isn't the default. You need to install wine. IOW if you are using Linux, and not adding support for Windows garbage, then you have nothing to worry about.

Re: What the heck?

[chipschap]

The other important point to note is that the vulnerability has already been patched. Not security by obscurity, not denial, not "we'll fix it on Patch April Fool's Day" --- it's done.

Re: What the heck?

[Zero__Kelvin]

Another interesting thing to note is the morons latching on to this one already fixed issue and claiming it means Linux is dead and all the good developed are moving or have moved to Windows :^)

Re:What the heck?

The same group that's sponsoring the shitstemd crapware. One with a ceartain headwear of reddish color in their parent company name.

Re:What the heck?

No, it's not. This is not about software that is part of GNOME.

https://csorianognome.wordpress.com/2017/07/20/clarification-on-a-security-flaw-on-a-thumbnailer/

Here's why it works:

[GerbilSoft]

gnome-exe-thumbnailer is a shell script that uses Wine to do the actual thumbnailing. The script uses Wine's VBScript interpreter to run a small VBScript to extract the icon.

The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.

Re:Here's why it works:

The script uses Wine's VBScript interpreter to run a small VBScript to extract the icon

... why?

Re:Here's why it works:

It seems like the same icon get could be done natively without the risk of enabling full VBScript?

Re: Here's why it works:

The real questions should be about how this flaw was introduced to begin with. Who proposed this change? Who committed the changes? Why wasn't this flagged as a bad idea right away, before or just after the code was committed? Can any of the Gnome code be trusted after a flaw like this was able to be introduced? How many different process failures occurred to allow this flaw to happen?

Re: Here's why it works:

How can you use Gnome and not know they don't care about outside input? Move on like everyone else did after 2.0.

Re:Here's why it works:

Yes, but that's not the Gnome/SystemD/RedHat way.

Re: Here's why it works:

Maybe they were too busy adding features too fast instead of spend some time in design?
Who knows but maybe with the git logs they can trace the ones that introduced this problem, but that is not the solution, blame-bashing is useless and stupid because it doesn't provide a real solution and only creates resentment on good developers that have already too much workload, instead in design time features should be talked with security people or researchers so they can provide their insight in the design before starting to implement it so developers can be aware of these kind of pitfalls.

Re: Here's why it works:

In my opinion, it would be justifiable and responsible to ban anyone who was involved with allowing this flaw to happen. I don't think their future contributions could be trusted. I think all past contributions of theirs would need to be thoroughly reviewed, if not preemptively removed, too. In my view, this is the kind of head-scratching flaw that should cause the entire Gnome project to be halted until a full investigation can be performed. I don't think that a fix alone is sufficient.

Re:Here's why it works:

Using lots of small tools in a pipeline totally is the unix way.

The odd thing is this particular combination seems rather fragile and bloaty. And should be running as a nobody user, if there's a feasible way of piping the icon segment of the exe into it and getting an image out the other side.

Re: Here's why it works:

blame-bashing is useless and stupid because it doesn't provide a real solution and only creates resentment on good developers that have already too much workload

Generally agreed. If something like this makes it in, it's a failure of the whole process, not of one developer in particular. People learn by making mistakes: if you ban someone for one, you'll soon be really short of developers.

Of course, if someone has a pattern of doing it and doesn't learn, then sure, kick them out of the project.

It's a judgement call, but we should look at this more as a failure of process, and that's something to learn from and fix.

Re:Here's why it works:

This! (No mod points or I'd give them up)

Re: Here's why it works:

> Can any of the Gnome code be trusted after a flaw like this was able to be introduced?

Why should GNOME be responsible for code in a third-party GitHub repository?

Do you even have a clue what you are talking about? Or are you just writing uninformed garbage?

Re: Here's why it works:

Maybe because this only works on gnome. The flaw is not present on other operating systems. Go back to your gnome mailing list you fucking cuck boy shill.

Re:Here's why it works:

[HyperQuantum]

The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.

This looks to me like the script equivalent of an SQL injection attack. In an SQL injection, unverified text is copied into an SQL query, which allows an attacker to execute arbitrary SQL commands. In this 'bad taste' vulnerability, a filename (which can contain almost any possible character) is copied into a small VB script, allowing an attacker to execute arbitrary VB script code simply by giving a file a carefully crafted name.

Aside from the injection vulnerability, this particular version of the attack would not be possible if there had been some extra restrictions on what characters are permitted to be used in filenames (on Linux). Scripting would be a lot easier if one did not have to account for the possibility that people use double quotes, newline characters or even stranger things in filenames. Sadly, there are those who oppose any restriction on which characters can be used in filenames, simply because they want to be able to abuse the filesystem as a cheap hash table with raw binary data as filenames.

Yes/No/Maybe

[iYk6]

It looks like it might execute on a default distro, but it depends which packages you have installed. A heavy distro such as Ubuntu might have these packages by default.

The summary has a link to a good description of the bug from the bug's founder. It looks like the poorly written line is specifically intended to execute VBScript, so I doubt you could use another scripting language or executable binary. However, you could use VBScript to write arbitrary content to .bashrc, which you could cause to download an arbitrary binary and execute it.

Linux is nothing but a disappointment these days.

I'd been a Linux user for a very long time. I'd started with Yggdrasil before moving to Debian. For most of the 1990s and even up until about 2008 or 2009, I felt proud to use Linux.

During that period I used to watch friends, family and coworkers use Windows. They'd suffer from BSODs. They'd suffer from malware infections. But my Linux installations were the opposite. I never experienced crashes. I never experienced security problems. Linux of that era was robust and trustworthy.

But those days are long gone. It's a real shame what Linux has become. To be fair, the kernel isn't too bad. But almost everything around the kernel has gone to hell.

It got to the point where I had nothing but trouble with almost every aspect of a typical desktop Linux installation. Systemd caused me numerous problems. If I was lucky enough to get past those, then it would be PulseAudio or NetworkManager that weren't working. If I got them working, or just ignored that they were broken, I was faced with the awful GNOME 3 environment, unless I went out of my way to install KDE (which isn't much better) or Xfce. Even then, installing 3D graphics drivers was always so risky. Most of the time I found they just wouldn't work.

I still can't believe how quickly it all went to hell. Just compare a modern Linux desktop installation to macOS, or even Windows 10. The Linux installation will feel amateurish and fragile.

Now, I have to admit that Linux has seen some success on mobile devices. But that's also a very interesting situation. Linux only became popular in the case of Android because they didn't use systemd, X, GNOME, GTK+, or much of the existing infrastructure of a typical Linux distro. It was all discarded and replaced with custom software. It's difficult to call Android "Linux", when the kernel is buried so deeply. There are probably app developers who have no idea that the Linux kernel is down there.

If you had asked me in 2005 how I thought Linux would be doing a decade or more later, well, I wouldn't have imagined it to be anything like it is now. I never would have guessed that something as anti-UNIX and Windows-like as systemd would end up in Debian. I never would have guessed that GNOME 3 would be such a disaster. I never would have guessed that X wouldn't have progressed much. I never would have guessed that macOS and Windows were objectively better OSes.

Linux is nothing but a disappointment these days. I wish that wasn't the case, but it unfortunately is how it is.

Re:Linux is nothing but a disappointment these day

Linux of that era was robust and trustworthy.

It wasn't, you just believed that it was.

Grab a fresh install of that vintage, and the NSA and every script kiddie from here to eastern Europe will have three dozen working exploits for it.

Linux at the time was a VERY unimportant target. It wasn't established in the server space yet, and it was all but zero percent of the desktop. It wasn't worth bothering with.

Now that it is, if you use a Linux of that vintage it can be pwned with little more difficulty than Windows 95.

Any OS requires constant security updates to stay in the game.

Re: Linux is nothing but a disappointment these da

Your comment is a good example of why open source software in general is in such a sad state these days. When long time users point out very real and very unacceptable problems involving open source software, they're immediately mislabeled as "trolls", or they're attacked in some other way.

We've seen this within the Firefox community. We've seen this within the GNOME 3 community. We've seen this within the systemd community. We've seen this with the Debian community.

It shouldn't surprise us that things have gotten so bad. Many of the best open source contributors have been driven away from the Linux-oriented open source projects. They've moved to OSes like FreeBSD, macOS, and even Windows, because those OSes offer a far superior experience. The developers who remain are the flotsam of the open source community.

He were are talking about an exploit affecting GNOME and Linux, and it uses goddamn VBScript of all things! Yet you have the gall to say that the situation "just keeps getting better."

Maybe you're too naive to realize this, but something is very, very, very, very inexcusably wrong when in 2017 a VBScript exploit is affecting GNOME and Linux! That's the sign of a very unhealthy ecosystem. The situation is obviously not "getting better".

Re: Linux is nothing but a disappointment these da

That made no sense at all. Except if you're one of those funny little trolls.

This vulnerability is inexcusable.

This was a VBScript exploit affecting GNOME and Linux in 2017. Think that through. Let it sink in.

Just because it may have been fixed doesn't make this incident acceptable.

It never should have happened in the first place!

Everything about this incident is wrong, and extremely shameful.

It is an indication of just how rotten the Linux and GNOME development communities have gotten lately.

Re:This vulnerability is inexcusable.

It's amusing that a Linux DE is affected by the kind of exploit that was popular in Windows about a decade ago.

Like, of all the things to catch up on, this one? Really?

Re:This vulnerability is inexcusable.

> This was a VBScript exploit affecting GNOME and Linux in 2017.

Shocking. A third-party wrote some low quality software that happens to also work under GNOME (but is not part of GNOME nor limited to GNOME).

Which also should affect FreeBSD if one would install the same software there. So it affects FreeBSD users. How will your "Linux is so shit now" rant continue now?

They did one better

They're vulnerable to Windows malware that doesn't run on Windows. Why the hell is the file manager running executable code packaged inside an MSI if it's never launched? There is no reason - none - to create a "preview" or "thumbnail" of an MSI. It's a friggin installation database. It's like saying we need a thumbnail preview of an .rpm - it doesn't make sense. GNOME is a dumpster fire.

Re:They did one better

All GUI file managers they do parse all the files headers to get the file icon at least.

Re:They did one better

At what point in that sequence is it supposed to run executable script code? E.g. there is a difference in parsing say, JavaScript, to do like syntax highlighting, and running that parsed code.

Re:They did one better

Actually the malicious code isn't packaged inside the .msi file but in its file name. This is no Windows malware at all and Gnome is only vulnerable because of very specific problems in Gnome.

OMG a file manager thumnail pluging shit into WINE

what could possibly go wrong... why would you even want to preview that crap.

Here's a much better question:

There isn't a single version of Windows dating back to Windows 98 that extracts an icon from an MSI nor provide a thumbnail preview. MSIs are displayed as generic, static icons. It's an installation package. Displaying a custom icon in the file explorer is unnecessary cruft. So the better question is: WHYYYY is this feature necessary in GNOME? Windows doesn't even do it. What problem does it solve for the user? What additional relevant information does it provide? Nothing. It just adds attack surface and complexity to an already bloated, shite, desktop environment.

Seriously. If anyone can explain to me why we need thumbnail previews of MSI packages and why this feature is necessary to a desktop environment I'll shut up. I'll say it again: Windows doesn't even do it. If the bozos at M$ didn't even think it would add value than why does GNOME?

Re:Here's a much better question:

[0123456]

A better question is, why do we need thumbnail preview at all? It's a huge attack surface that doesn't even require you to open a file to get infected. Not to mention a huge performance hog.

Oh, yeah, because Windows has been doing it for years.

Re: Here's a much better question:

Why limit yourself to how Windows works? Yes in this case there where an exploit but exploits happens all the time, and it's fixed while still presenting an icon.

Re:Here's a much better question:

[GerbilSoft]

Looking through gnome-exe-thumbnail, it overlays the program's version number on top of the icon. Windows doesn't do this, but Windows Explorer will show the program version in the properties panel on the bottom of the window and in the file properties page.

Re:Here's a much better question:

[tlhIngan]

A better question is, why do we need thumbnail preview at all? It's a huge attack surface that doesn't even require you to open a file to get infected. Not to mention a huge performance hog.

Oh, yeah, because Windows has been doing it for years.

Well, thumbnail previews are helpful for the common case of a collection of photos in a directory. Perhaps you're totally organized and categorize the heck out of every digital photo you take, but most people are not, and it's nice to open a folder of photos and quickly glance and see what they're about than to see generic icons and open each one to see what the file is inside.

It's a user thing. It's why complex beasts like NetworkManager, Pulse Audio and SystemD exist - because no amount of "simple scripting" can get around fundamental limitations of the "keep it the Unix way".

In fact, why do shell scripts in sysvinit ... reimplement init? The default init that sysvinit uses already handles daemonizing really well, and if daemons die, it can easily restart them. In fact, if they die too quickly, init will stop spawning it for 5 minutes. And to heck with S/K scripts, since init handles runlevel invocations as well. The only reason I can see is that editing inittab is too hard, but we seem to make do with other files like passwd and such.

And users like NetworkManager - because things like WiFi screw up the networking model Unix created. (Just because you connect to WiFi, doesn't mean you want the same settings for WiFi - perhaps you connect to public WiFi and want a VPN, while corporate WiFi you don't. And then there's multiple connections...).

And Pulse Audio is a pain, but necessary to accomplish some tricky audio routing issues. For example, take a standard PC with a sound card. It's playing music or a video, and there's a VoIP app running in the background. The user wants to take the call, so they plug in their headset via USB or Bluetooth, and the VoIP app's audio needs to move to the new sound device transparently - the app shouldn't need to close and reopen (or even know a new audio device was added). Yes, it works in Windows when people insist on using voice with Skype (I normally just use speakers and built in microphone, but if there are people around, a headset gets better privacy. But I don't have a headset - I borrow one from my manager since work doesn't provide me with one and I don't use one enough to justify the expense. I plug it in, and magically, the call is routed to them and I can chat in privacy).

Oh yes, the audio from the existing music player or video player must NOT be routed to the headset, either.

Feel free to try to implement these two basic use cases with shell scripts.

Re:Here's a much better question:

And why should that require a VBS interpreter?

"keep it the Unix way" doesn't mandate scripting.

It does specify "keep it simple stupid" so that it can be easily debugged, easily patched, easily replaced.

Which is not true of "NetworkManager, Pulse Audio and SystemD". They have NONE of those characteristics.

"The app shouldn't need to close and reopen"... sounds more like a poor app design.

"In fact, why do shell scripts in sysvinit ... reimplement init?" They don't. You just seem to think they do for some reason. What shell scripts DO allow is simple controlled sequencing. Which is not the task of init, and is something systemD still can't do.

Re: Here's a much better question:

You're missing the point. The point was, why implement the functionality at all, it isn't necessary. If you disagree, please explain why it is. How Windows handles it was only brought up to highlight that is unnecessary.

Re: Linux is nothing but a disappointment these da

Linux is actually doing quite well these days.
You seem to have forgotten that Linux dominates the market in the server world, especially the "cloud". The vast majority of mobile phones are running Linux. Whether user or developers are aware that it is Linux is completely irrelevant to your point.
Your complaints seem to be centered around most of the GUI options for desktop users and while you bring up valid points against those projects, those arguments are, again, irrelevant to "how Linux to doing" as a whole.

Re:Linux is nothing but a disappointment these day

[sombragris]

I'd suggest you use Slackware. Solid and stable like a rock; and also, fast. The price to pay is that you usually should have a modicum of technical competence; which you appear to possess, given the distro history you claim. Try it; if you really are disappointed by what you mention in your comment, chances are these are nonexistent or highly mitigated in Slackware (for example, there's no systemd; init is a simple, easy to understad BSD init with a SysV compatibility layer for those who would want it).

One question

[viperidaenz]

Why does a thumbnail extractor have the capability to run any sort of code?

Re:One question

How is that different from various font vulnerabilities that have had to be fixed over the last few years? How in Hell can fonts require programming which can be exploited??? That seems to be regardless of OS.

Re:One question

And how, pray tell, are you going to extract thumbnails without running code at all?
I'm extremely disconcerted now I've seen how thumbnail extraction is implemented on Gnome, using shell scripts generating VBScripts, there are real problems there, both in the code and in the culture that allowed it to be written, but yelling overly broad nonsense like ‘Why must you run code to do something?’ isn't going to help anyone.

VBscript

Why is it supported on Linux? It's a plague on humanity!

Re:Linux is nothing but a disappointment these day

I completely agree with you. I used a Linux desktop from 1996 until about 2008-2009, now I use Windows 10 and FreeBSD on my server. They keep trying to reinvent the wheel on Linux when it use to work just fine, now it's just a headache full of bugs. Windows isn't perfect but I've only had a BSOD once in the past 2 years and it was when I unplugged the HDMI cable.

I work for a data center and I can't count how many times Linux updates have broken something on servers (SELinux policies for a random example)... we've migrated many Linux machines to FreeBSD just because of how much more stable it is and isn't plagued by constant security issues like Linux.

Re:Linux is nothing but a disappointment these day

A lot of groups are trying to pull it (both the kernel and surrounding ecosystems) in various directions for their own purposes, especially corporations; too little can be done to resist it, as they have the money and market share to effectively ramrod these changes through the system. I've always been more inclined towards the less-corporate distros such as Debian, and have noted a relatively consistent experience in spite of systemd, pulseaudio, and other shenanigans (literally all of my issues with systemd have been related to logging and restart control). The issues that arise from groups trying to steer the overall ecosystem to meet their needs are far-reaching; systemd is the most prominent current example that I know of. Unfortunately, it seems that when massive organizations, like Redhat, start fiddling with stuff, other groups tend to follow suit in order to "stay with the times". By trying to standardize with the big dogs, they wind up fragmenting their own ecosystems, to the detriment of the people that make use of their software.

Re: Linux is nothing but a disappointment these da

[thegarbz]

When long time users point out very real and very unacceptable problems involving open source software, they're immediately mislabeled as "trolls", or they're attacked in some other way.

No. You're not a troll and long time users aren't trolls either. What you are is a classic textbook case of someone resistant to any form of change to the point where change is bad so you can't see why a change occurred and thus obscure the good that has occurred because of it. Not only that with this typical example you end up with an increasingly rose coloured view of the past.

Go ahead. Fire up that Linux distro from the 90s. IF you can get your network card going on that ancient kernel, IF you can get your video card up and running, IF the ancient version of X will happily display a graphic on your LCD without skewing the image then maybe, just maybe, you'll last a few minutes before your computer is taken over by hundreds of script kiddies exploiting any of the thousand CVEs that have been published for Linux and fixed over the past 2 decades.

Now if you're lucky and that doesn't happen then what. What will you do? You won't be visiting much of the internet because that won't work. You certainly won't be using a productivity or office suite because that was just a steaming turd back then. Hell you'll be spending more time working through frustrating interface bugs and spending time trying to get your computer to actually work for you, a reputation that Linux had well deserved back in those days on the desktop.

Even if you don't want to use it on the desktop, what are you going to serve up? Ancient NFS shares with all their exploits from early versions? SMB shares with SMB v1 protocol which many people are disabling? Website which don't support any dynamic content or scripting with an Apache version so out of date it basically screams to any passer by "take me bigboy, I'm yours!" Maybe a print server for a printer you won't have drivers for?

Technology has changed and gotten far more complicated. Linux has moved with the changes. Part of those changes were made because it was a frigging nightmare to the point where no sane person would inflict the terror of recommending a non-techy person even attempt to run Linux on a desktop system in the 90s. Where are we now? A suitable alternative?

By the way speaking of your communities:
- The Firefox project abandoned the community, you are absolutely right.
- The Gnome project addressed it's fundamental short comings of Gnome being a borderline unconfigurable mess of settings. They adapted to a changing world by giving new users a simple and easy to use desktop knowing full well that techies will happily switch to the many other DEs because they want their lives to remain complicated.
- The systemd project was just the most successful of the many attempts to replace a broken system that didn't suit the workloads of a modern machine, not on the desktop, the laptop, or the server.
- The Debian project.... Not sure what you're talking about. Debian has never been bigger and more important and they make their decisions on technical grounds, many of which users refuse to put the effort into understanding.

So you say it's inexcusably and wrong that a VBScript is affecting Linux. I say fucking finally Linux is able to actually run a variety of Windows software to the point where it is a suitable alternative OS. By the way the bug was found and fixed on the same day. A sad state for the OS indeed!

Re:Linux is nothing but a disappointment these day

Actually, it was quite secure. And still is.

36 working exploits? Not many - and were already patched back then. Unlike the 700,000 or so against Windows that has never been patched.

"VERY unimportant target"? no, even 2005 it was more valuable than Windows. Wallstreet servers were already moving to Linux, supercomputers (the favorite target) were ALREADY running Linux.

Linux was (and still is) being attacked hourly (I used to see a couple of hundred per hour, depending on which server I was monitoring at the time - gave up and only examined the successful connections). The attacks are just unsuccessful. You don't hear about it because it is very nearly a "so what?, nothing happens".

Re:Linux is nothing but a disappointment these day

"Windows isn't perfect" ... right, but that is not the issue, free software is.

"They keep trying to reinvent the wheel on Linux "
Correct, like most updates on KDE has been a pain in the ass, for no good reason. The newer versions are no better that the old, and no options were given to to go back or stay on the previous versions. Much of the new features are probably not used, or appreciated, by many.
"Activities" ? WTF this is I don't even want to know.
Compositing desktop effects? 99.99% useless fucking eyecandy. A waste of time.
100's of different keyboard short cuts? convenient if you can fucking remember them.
KDE, and many other, user interface programmers evidently just don't want user community input.
GNOME desktop? I've tried it several times, and find it less than useful, like sticking sharp object in your eye. It is a default desktop for many distributions, and makes people want the simplicity of windows.
There is little good reason reinvent the wheel in desktop look-and feel. Apple eye-candy may look smart but useful, and necessary?
Who uses Linux desktop and why? Are these people also using other desktop environments?
Systemd, why? I never had any issues with sysvinit, but I've sadly rolled over for systemd. Again very little choice to regress.
If there is so much spare developer time to make all this fucked up UI shit, there is obviously need for a new core philosophy, just as much as the kernel has. Non-technical people need to lead philosophical levels of user interfaces, too much technology is not always better. A fucking toilet is always a toilet, it does not need four hundred buttons, and an operating system, or a wireless interface, nor a touch screen.
It is harder to make something simple than complicated, it requires more thought and insight.

Re: Linux is nothing but a disappointment these da

[Brockmire]

My experience with Linux has been the opposite going back to the 90's. Finding drivers and building kernels was a major fucking pain. I'd spend weekends trying to get a distro running, only to have a few showstoppers. Everything was command line shit. Everything required modification. You didn't just end up with a 30 minute install with all drivers installed with default install media. Video capture was a fucking nightmare. I remember Ubuntu at work couldn't be upgraded or backed up for having too many fucking inodes! It's a fucking file server! Aside for some bad lxle installs, the typical Linux default install just works with all drivers found. Since systemd, I found it easier to setup new boxes and not have to fucking learn how to script start every service on half a dozen distros.