Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities (neowin.net)

Posted by EditorDavid on from the thanks-Microsoft dept.

Slashdot reader KiloByte warned us about new exploit for .MSI files named "bad taste". Neowin reports: A now-patched vulnerability in the "GNOME Files" file manager was recently discovered which allowed hackers to create dodgy MSI files which would run malicious VBScript code on Linux... Once Nils Dagsson Moskopp discovered the bug, he reported it to the Debian Project which fixed it very rapidly. The GNOME Project also patched the gnome-exe-thumbnailer file which is responsible for parsing MSI and EXE files inside the GNOME Files app... If you run a Linux distribution with the GNOME desktop it's advisable to run the update manager and check for updates as soon as possible before you become affected by this critical vulnerability.

13 of 72 comments (clear)

  1. WTF? by Anonymous Coward · · Score: 2, Interesting

    Who infected the festering heap that is Gnome to run VBscript?

    1. Re:WTF? by arglebargle_xiv · · Score: 3, Funny

      Oh for fsck's sake, we're now virus-compatible with Windows?

  2. Requires WINE? by HalAtWork · · Score: 3, Interesting

    How exactly does the VBScript execute on a default Linux distro? Can anything other than VBScript get injected?

    --
    Twinstiq, game news
    1. Re:Requires WINE? by KiloByte · · Score: 4, Informative

      Nope, Wine itself is enough, at least on installations which I looked at.

      In the other hand, the exe thumbnailer is not an official Gnome project but comes from Ubuntu -- so with all of Gnome's insanities, this one is not their fault.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  3. Mission Accomplished! by nt2ldap · · Score: 4, Insightful

    Looks like the Gnome Project has finally arrived: after years of bending and twisting to get Windows-like behavior out of the Linux desktop (you know, the "sad face" screen that appears when it crashes, oh wait... that would be MacOS!), they've finally done one better -- made Linux vulnerable to Windows malware. This time the trade off was decorations for security. Having already banned smb from our networks, we thought we were safe. Maybe it's time to look for a new DE. I think twm is still in the Fedora repo...

  4. Here's why it works: by GerbilSoft · · Score: 4, Informative

    gnome-exe-thumbnailer is a shell script that uses Wine to do the actual thumbnailing. The script uses Wine's VBScript interpreter to run a small VBScript to extract the icon.

    The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.

    1. Re:Here's why it works: by Anonymous Coward · · Score: 3, Insightful

      The script uses Wine's VBScript interpreter to run a small VBScript to extract the icon

      ... why?

  5. Linux is nothing but a disappointment these days. by Anonymous Coward · · Score: 3, Insightful

    I'd been a Linux user for a very long time. I'd started with Yggdrasil before moving to Debian. For most of the 1990s and even up until about 2008 or 2009, I felt proud to use Linux.

    During that period I used to watch friends, family and coworkers use Windows. They'd suffer from BSODs. They'd suffer from malware infections. But my Linux installations were the opposite. I never experienced crashes. I never experienced security problems. Linux of that era was robust and trustworthy.

    But those days are long gone. It's a real shame what Linux has become. To be fair, the kernel isn't too bad. But almost everything around the kernel has gone to hell.

    It got to the point where I had nothing but trouble with almost every aspect of a typical desktop Linux installation. Systemd caused me numerous problems. If I was lucky enough to get past those, then it would be PulseAudio or NetworkManager that weren't working. If I got them working, or just ignored that they were broken, I was faced with the awful GNOME 3 environment, unless I went out of my way to install KDE (which isn't much better) or Xfce. Even then, installing 3D graphics drivers was always so risky. Most of the time I found they just wouldn't work.

    I still can't believe how quickly it all went to hell. Just compare a modern Linux desktop installation to macOS, or even Windows 10. The Linux installation will feel amateurish and fragile.

    Now, I have to admit that Linux has seen some success on mobile devices. But that's also a very interesting situation. Linux only became popular in the case of Android because they didn't use systemd, X, GNOME, GTK+, or much of the existing infrastructure of a typical Linux distro. It was all discarded and replaced with custom software. It's difficult to call Android "Linux", when the kernel is buried so deeply. There are probably app developers who have no idea that the Linux kernel is down there.

    If you had asked me in 2005 how I thought Linux would be doing a decade or more later, well, I wouldn't have imagined it to be anything like it is now. I never would have guessed that something as anti-UNIX and Windows-like as systemd would end up in Debian. I never would have guessed that GNOME 3 would be such a disaster. I never would have guessed that X wouldn't have progressed much. I never would have guessed that macOS and Windows were objectively better OSes.

    Linux is nothing but a disappointment these days. I wish that wasn't the case, but it unfortunately is how it is.

  6. Re: What the heck? by Zero__Kelvin · · Score: 4, Informative

    No. It isn't the default. You need to install wine. IOW if you are using Linux, and not adding support for Windows garbage, then you have nothing to worry about.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  7. Re:Linux is nothing but a disappointment these day by Anonymous Coward · · Score: 5, Insightful

    Linux of that era was robust and trustworthy.

    It wasn't, you just believed that it was.

    Grab a fresh install of that vintage, and the NSA and every script kiddie from here to eastern Europe will have three dozen working exploits for it.

    Linux at the time was a VERY unimportant target. It wasn't established in the server space yet, and it was all but zero percent of the desktop. It wasn't worth bothering with.

    Now that it is, if you use a Linux of that vintage it can be pwned with little more difficulty than Windows 95.

    Any OS requires constant security updates to stay in the game.

  8. This vulnerability is inexcusable. by Anonymous Coward · · Score: 5, Insightful

    This was a VBScript exploit affecting GNOME and Linux in 2017. Think that through. Let it sink in.

    Just because it may have been fixed doesn't make this incident acceptable.

    It never should have happened in the first place!

    Everything about this incident is wrong, and extremely shameful.

    It is an indication of just how rotten the Linux and GNOME development communities have gotten lately.

  9. Re:Linux is nothing but a disappointment these day by sombragris · · Score: 3, Insightful

    I'd suggest you use Slackware. Solid and stable like a rock; and also, fast. The price to pay is that you usually should have a modicum of technical competence; which you appear to possess, given the distro history you claim. Try it; if you really are disappointed by what you mention in your comment, chances are these are nonexistent or highly mitigated in Slackware (for example, there's no systemd; init is a simple, easy to understad BSD init with a SysV compatibility layer for those who would want it).

    --
    -- Look to the Rose that blows about us--"Lo, Laughing," she says, "into the World I blow..."
  10. Re:Here's a much better question: by 0123456 · · Score: 2

    A better question is, why do we need thumbnail preview at all? It's a huge attack surface that doesn't even require you to open a file to get infected. Not to mention a huge performance hog.

    Oh, yeah, because Windows has been doing it for years.