Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities

Slashdot reader KiloByte warned us about new exploit for .MSI files named "bad taste". Neowin reports: A now-patched vulnerability in the "GNOME Files" file manager was recently discovered which allowed hackers to create dodgy MSI files which would run malicious VBScript code on Linux... Once Nils Dagsson Moskopp discovered the bug, he reported it to the Debian Project which fixed it very rapidly. The GNOME Project also patched the gnome-exe-thumbnailer file which is responsible for parsing MSI and EXE files inside the GNOME Files app... If you run a Linux distribution with the GNOME desktop it's advisable to run the update manager and check for updates as soon as possible before you become affected by this critical vulnerability.

Here's why it works:

[GerbilSoft]

gnome-exe-thumbnailer is a shell script that uses Wine to do the actual thumbnailing. The script uses Wine's VBScript interpreter to run a small VBScript to extract the icon.

The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.

Re:Requires WINE?

[KiloByte]

Nope, Wine itself is enough, at least on installations which I looked at.

In the other hand, the exe thumbnailer is not an official Gnome project but comes from Ubuntu -- so with all of Gnome's insanities, this one is not their fault.

Re: What the heck?

[Zero__Kelvin]

No. It isn't the default. You need to install wine. IOW if you are using Linux, and not adding support for Windows garbage, then you have nothing to worry about.