×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

348 comments

In other news... (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#26887309)

Windows still vulnerable

Solution (5, Funny)

Spazztastic (814296) | more than 5 years ago | (#26887321)

Use Linux... wait, shit. We need a new answer, guys.

Re:Solution (5, Insightful)

zappepcs (820751) | more than 5 years ago | (#26887437)

The answer is the same one that has been valid for .. well, since the advent of computers. There will always be vulnerabilities. The best you can do is be aware, vigilant, and choose software that has less vulnerabilities and whose writers work hardest to correct the problems fastest. Arguments can be made for or against Linux based on those criteria but it remains a very strong choice over Windows or Apple. The more popular Linux becomes on the desktop, the more chances there will be vulnerabilities. Now is the time for F/OSS coders to start working extra to ensure there are as few as possible.

If you write code, you know that you've left open areas where an exception will cause a problem for any number of reasons. it happens. period. So far, GNU/Linux has cleaned up quickly and well on most things. The struggle continues. That is the answer.

Re:Solution (3, Informative)

Ed Avis (5917) | more than 5 years ago | (#26888085)

The best you can do is be aware, vigilant, and choose software that has less vulnerabilities and whose writers work hardest to correct the problems fastest.

Which in this case is unlikely to be GNOME or KDE, since this attack has been known for several years and absolutely nothing has been done about it (it's "expected behaviour").

Re:Solution (2, Informative)

zappepcs (820751) | more than 5 years ago | (#26888415)

I tried to make it a choice by the end user as to which is less vulnerable. MS products have/had similar issues by length and criticality. So if any and all of your choices can and will have such vulnerabilities, use other criteria for your choice.

On a side note: Worse than having a vulnerability in the code base for several months or years is having it left there intentionally, and marginally worse is when users ignore the patch when it is provided. With Linux patches are free. With Windows products you need to be a legal registered user and/or have paid for updated anti-malware software. Consequently it costs you more to apply fixes for some OSes compared to Linux.

So, in the end it is still down to the user to do their part. No matter what efforts the coders put in, if the user fails the malware will spread.

I'm not apologizing for bugs/problems in Gnome/KDE code. I'm simply saying that such an event only makes it software. When those packages continue to have such errors on a regular schedule and with end effects that MS has tortured the world with, then it's reason to complain.

Re:Solution (4, Insightful)

bigstrat2003 (1058574) | more than 5 years ago | (#26888495)

With Linux patches are free.

And they are with Windows as well. Come on, it's more than a bit ridiculous to expect Microsoft to supply patches to people who pirate their software. If you've bought your copy of Windows, patches are free. There may be a bug with validating your copy, but that's also a mistake, not by design.

Re:Solution (3, Insightful)

zappepcs (820751) | more than 5 years ago | (#26888973)

My poorly stated point is that those pirated copies are not being patched appropriately and thus represent a larger target for malicious software authors, making Windows a little bit less desirable from that point of view.

Re:Solution (5, Insightful)

Lumpy (12016) | more than 5 years ago | (#26887549)

Have a brain when using the PC.

It works for all operating systems. Viruses and Trojans require the user to not think and execute things willy-nilly. Having a brain reduces the infection vectors drastically.

Every "expert" I have met that has been infected was downloading and using warez unsafely. Every regular use I have met that was infected simply clicked yes to every dialog box they did not want to bother reading and understanding.

The OS does not matter, having educated and competent users does. Have to add that competent, I have seen educated users go and click on crap without reading or thinking.. It requires competence.

Re:Solution (2, Insightful)

Spazztastic (814296) | more than 5 years ago | (#26887693)

Having a brain reduces the infection vectors drastically.

I forgot sarcasm tags when starting this thread, but there's also many other problems outside of "not having a brain." Unpatched flaws in your operating system, people still running IE6 and opening a JPEG with a script embedded, etc. One can be very intelligent at something completely unrelated to computers and still get infected purely because of a popup and an unpatched system.

Not everybody knows to run windows update or to update their Ubuntu installation even if it warns them, because it's usually being inconvenient. Usually it's why I set it to do it automatically for users or they won't.

Re:Solution (5, Insightful)

Ed Avis (5917) | more than 5 years ago | (#26887969)

Have a brain when using the PC.

This has very little to do with user stupidity. Indeed, users should not execute things willy-nilly, but it's surely okay to open a file and look at its contents? If you think that is inherently unsafe then users must be prohibited from receiving email attachments (or downloading from web pages) altogether.

In this case there are no warning dialogues to click through, no unusual steps. All that happens is you save a file and then double-click to open it. There is no way to see in advance that the file is unsafe, and it can adopt any icon and name it wishes, so in the user interface it is *indistinguishable* from a legitimate desktop icon such as the trash can.

It gets a laugh on Slashdot to castigate 'stupid' users, but if the system does not provide users with the information needed to make an informed choice, then the system is at fault.

You are wrong (5, Insightful)

SmallFurryCreature (593017) | more than 5 years ago | (#26889299)

I am dealing with a user at the moment who just isn't that bright. It is not that she is a moron, she just doesn't think. Somethings she does right, she gets her wallpapers through googles image search and uses firefox after my suggestion.

But she also wants animated cursors and finds them and happily installes them. Cursor Mania.

She just doesn't get, yet, that the internet has two kinds of free and that the more something shouts it is free the less likely it is. How do you explain that firefox is free and safe but cursormania is free and not safe?

The problem is not so much that some people are stupid but that they lack a healthy dose of cynasism, they forget to question things. And that is pretty to stupid.

The system can't protect against this unless you want to life in the nanny state. Women are free to go with convicted wife-beaters unless you want the state to decide your partner for you. People can install spyware unless you want the system to decide what you can install.

For some reason people like you want software to do things you would NEVER accept in hardware. Would you really want a powerdrill that constantly checked wether you where drilling in the factory approved substances, at the right angled, under the right conditions? A screwdriver that refuses to be used as a hammer?

At some point users must accept a responsibilty to operate their equipment responsible themselves and accept that if they make mistakes, they are the ones to blaim.

You know what my solution has been to fix 99% of friends requests to fix their windows PC? Re-install. Whipe the crap and sooner or later they either figure out that "mmm once I downloaded those free smiley's my computer starts to act like a piece of crap, maybe these two things are connected" or at least find someone else to help with their crap PC's.

Lets face it, after 30 years I have started to realise that no amount of suggestion is ever going to result in girls actually giving any of the sexual favors they seem to promise when they ask you to fix their laptop.

Re:You are wrong (5, Insightful)

Ed Avis (5917) | more than 5 years ago | (#26889679)

What you say is all true but it's not relevant to this particular problem, which is that *all* users, even sensible and cautious ones, can be easily tricked into running an executable because the user interface makes it look exactly like an ordinary file. You or I would also be vulnerable.

And BTW, I suggest you kiss her first, and fix the laptop afterwards.

Re:You are wrong (3, Funny)

javilon (99157) | more than 5 years ago | (#26889977)

Lets face it, after 30 years I have started to realise that no amount of suggestion is ever going to result in girls actually giving any of the sexual favors they seem to promise when they ask you to fix their laptop.

It seems to me that while they are a bit slow with technology you, on the other hand, are a bit slow at making the (lack of) connection between "fixing laptop" and "getting laid" when social interaction is the issue.

Re:Solution (0)

Anonymous Coward | more than 5 years ago | (#26888075)

i have a solution....dont use gnome or kde. Or you could just not use desktop icons. desktop icons are just more annoying than they are useful anyways. xfce, *box, or e17 are they ways to go. gnome blows and kde is too cluttered and heavy.

Protect your self with encryption (-1, Troll)

kcbanner (929309) | more than 5 years ago | (#26887349)

This whole problem could be avoided by using a reverse ssh tunnel [caseybanner.ca] ! In all seriousness though, when I use linux I prefer to use some lightweight WM so I am not affected by this .desktop thing. Why do shortcuts need to have the ability to run code?

Re:Protect your self with encryption (0)

Anonymous Coward | more than 5 years ago | (#26887443)

wtf would an encrypted tunnel do to mitigate the issues mentioned in the article? Nothing.

Re:Protect your self with encryption (0)

Anonymous Coward | more than 5 years ago | (#26887481)

Fucking link spammer. That's at least the 3rd time you've posted this shit today.

Re:Protect your self with encryption (1)

B5_geek (638928) | more than 5 years ago | (#26887505)

I realize that you are only 19 years old and new to this Internet thing. Posting link spam like you have been doing is considered bad etiquette.

Please stop, we do not like it here.

Re:Protect your self with encryption (-1, Offtopic)

kcbanner (929309) | more than 5 years ago | (#26887589)

I guess my hopes of starting a new meme have been dashed...alas.

Re:Protect your self with encryption (1)

Spazztastic (814296) | more than 5 years ago | (#26887725)

I guess my hopes of starting a new meme have been dashed...alas.

I think I speak for us all when I say that there's enough memes and we don't need you trolling /. trying to make a new trend while plugging a blog.

Re:Protect your self with encryption (1, Funny)

Anonymous Coward | more than 5 years ago | (#26887883)

I guess my hopes of starting a new meme have been dashed...alas

Forced meme is forrrrced.

Meme-tastic mate (0)

Anonymous Coward | more than 5 years ago | (#26888455)

The thing about Slashdot memes is that they get really tired after a while. I'm not sure you'd want your name on something as annoying and repetitve as a Slashdot meme.

Oh, wait, I nearly forgot:

Alas, in Soviet Russia, new memes dash YOU!

Re:Protect your self with encryption (5, Informative)

JesseMcDonald (536341) | more than 5 years ago | (#26887623)

Why do shortcuts need to have the ability to run code?

The shortcut only contains parameters for the path to the application and a list of parameters; it doesn't run any code itself. The problem is that the application can be (e.g.) /usr/bin/perl, and the parameters "-e 'perl code here'". Removing this ability would seriously impact the usefulness of the shortcuts.

The real issue is that the DEs are blindly trusting a non-executable file of unknown source to provide this information. The solution has already been suggested: turn all .desktop files into scripts (via a #! line, which is already valid comment syntax), mark them as executable, and have the DE run them like any other executable file. Non-executable .desktop files which link to applications would be displayed as usual, but would be treated as documents rather than launchers.

Re:Protect your self with encryption (1)

kcbanner (929309) | more than 5 years ago | (#26887677)

Ah, I see. I suppose another solution could be warning the user the first time they run a shortcut that uses perl/python/ruby/php/whatever scripting language. Maybe pop up a window displaying the parameters even they are longer than X characters.

Re:Protect your self with encryption (2, Insightful)

JesseMcDonald (536341) | more than 5 years ago | (#26888047)

That would require a blacklist of script interpreters, which could only be a temporary solution. No blacklist is ever going to cover all possible attack vectors. Similarly, checking for particular parameter length will either have too many false positives or fail to catch potential attacks. E.g., what if the command was /bin/rm and the parameters were "-rf /"?

Requiring the executable bit would make for a more permanent solution to the problem.

Re:Protect your self with encryption (1)

kcbanner (929309) | more than 5 years ago | (#26888109)

Ok, I'm not sure how that would fix it though, I mean if you make them into scripts then wouldn't that be an even easier way to attack? Unless you mean that they are always displayed to the user until they set the +x themselves? I'm sure I'm missing the point here though, its early (and no coffee).

Re:Protect your self with encryption (4, Informative)

Ed Avis (5917) | more than 5 years ago | (#26888217)

Yeah it's pretty straightforward: if the executable bit is not set then the file is merely *displayed* as a plain text file. If the executable bit is set then it is *run*.

That means you cannot simply save an attachment from a message and run it. You can however display it, which is fine.

Everything works like this except for .desktop files, which because of an oversight, default to *running* on double-click even if not marked executable. Hence the attack vector. It is made nastier by the fact that .desktop files can disguise themselves with a name and icon of their choosing.

but wait.... (0)

Anonymous Coward | more than 5 years ago | (#26887375)

wait i only vaugely RTFA, but didn't kde 4 do away with desktop icons entirely? now you have folder views, which won't invoke any .desktop launcher file

Re:but wait.... (1)

NeoBrain (1342923) | more than 5 years ago | (#26887831)

You can still adjust the folder view to show the contents of the Desktop folder. If there's a .desktop file in there, clicking on that file will just behave as with other DEs.

Frost piss (3, Interesting)

digitalunity (19107) | more than 5 years ago | (#26887405)

Interesting article. Cliff notes for those who don't read articles: KDE & Gnome desktop icons can contain malicious commands.

The common defense that "well at least linux malware can't get root privileges" isn't much of a defense. For many users, the most sensitive documents they have are owned by themselves.

Linux Users Don't Backup?!? (1)

Dareth (47614) | more than 5 years ago | (#26887829)

You mean Linux users, besides Linus (we all mirror his important files for him), should be backing up their files!?!

Oh the horror!

Re:Linux Users Don't Backup?!? (3, Insightful)

digitalunity (19107) | more than 5 years ago | (#26888137)

Don't be so shortsighted. The issue isn't you losing your files. It is that others can obtain your files.

Just because malware doesn't have root privileges doesn't mean it isn't capable of stealing valuable information from you.

Re:Linux Users Don't Backup?!? (3, Interesting)

ChienAndalu (1293930) | more than 5 years ago | (#26889527)

Just because malware doesn't have root privileges doesn't mean it isn't capable of stealing valuable information from you.

I sometimes wonder how difficult it would be to obtain the root password from somebody. If the PATH variable has a path that the user has write access to, what's stopping the malware to put a "su" wrapper into that directory? Next time you enter su, the wrapper captures your password, logs you in and deletes itself.

I also think that a keylogger for X11 wouldn't be too difficult to implement.

Re:Linux Users Don't Backup?!? (1)

ld a,b (1207022) | more than 5 years ago | (#26889533)

Exactly, and now some criminal organization somewhere is keeping a backup of your data for you as well.

This is the reason we must focus in making secure software that is trying to stay ahead of exploits - the user isn't trustworthy, he may understand some security implications of his actions, but he will never understand everything.

If I get access to your system I won't delete /bin or your .porn stash. What I will do is copy your .mozilla directory, where I will surely find about your real name, bank accounts, job, and many other things.

You dismiss local exploits as if they were rare, many are undiscovered or ignored. A whole desktop has many applications and you only need a single hole.

But really, that an attacker will just turn your machine into a spambot is the best case scenario.

Re:Frost piss (4, Insightful)

Todd Knarr (15451) | more than 5 years ago | (#26887891)

It does make a big difference in clean-up, though. With the malware not being able to get administrative privileges, it can't get into root's environment. That means that you can log in as root and the malware won't get a chance to take over, and then you can safely use all your scanning and clean-up tools without having the malware disable or circumvent them. Contrast this with how thoroughly rootkits can hide on Windows systems.

It's still dangerous, make no mistake. Once the malware's running locally, it can try local exploits to escalate to root access. But there's a lot fewer of those on Linux systems than on Windows, and they're a lot harder to exploit, and anything that doesn't successfully exploit them will be much easier to detect and remove. This is a significant win compared to Windows.

NB: nothing will protect a system from it's owner's stupidity. If the user insists on being willfully stupid, they're in a position to bypass any and all protections on the system. The only protection is to keep them away from the keyboard.

Re:Frost piss (1)

Exitar (809068) | more than 5 years ago | (#26888207)

Why I'm still worried by a malware that, even without root privileges, runs

cd /
rm -rf *

Re:Frost piss (2, Insightful)

Fallingcow (213461) | more than 5 years ago | (#26888665)

It does make a big difference in clean-up, though. With the malware not being able to get administrative privileges, it can't get into root's environment. That means that you can log in as root and the malware won't get a chance to take over, and then you can safely use all your scanning and clean-up tools without having the malware disable or circumvent them. Contrast this with how thoroughly rootkits can hide on Windows systems.

Really though, especially if we're talking about my personal desktop or laptop, if I notice any kind of infection I'm just going to format->reinstall. It is not remotely worth my time to verify that the virus did not achieve root privileges when reinstalling will take care of the problem much more quickly and thoroughly.

I've used Linux for years, but I still don't get the "OMG don't run as root!" obsession. I don't run as root exactly (I like being under /home rather than /root) but I give myself nearly-root permissions and remove password prompts from everything that I can. Why? Because I'm the only one who uses my laptop, all the stuff I care about is in my ~/ folder, and the discovery of any virus of any kind whatsoever is going to mean an instant format->reinstall anyway.

On servers? Sure. Multiuser workstations? Sure. At home? Running as a regular user is just way more hassle than it's worth. Oh no! The virus got in to the /boot directory! So what? Who gives a shit about /boot? I care about ~/Music or ~/Downloads far, far more.

Re:Frost piss (2, Informative)

Todd Knarr (15451) | more than 5 years ago | (#26889035)

I advocate the "Don't run as root." position for two reasons. One, it builds good habits from the start, both for users and for software vendors. It gets users used to running as ordinary users, and conditions them to expect the system to function correctly without administrative privileges except when explicitly doing administrative tasks. We've seen on Windows how many problems keep sticking around simply because of habits users have developed over the years. Inertia works, so put it to good use instead of bad. If you teach users good habits initially, they're likely to stick with them. And it gets software vendors used to living in a world without administrative privileges. When most users expect not to need admin privileges to use software, their reaction to software that expects admin privileges is to go "WTF? Why do you need that again?" and to go with other software if the vendor insists on requiring the user to break their existing habits (users are lazy and don't like changing their ways, remember). That yields a feedback loop: vendors produce software that doesn't require admin privileges because users react badly to stuff that demands admin rights for no good reason, and users react badly to software that demands admin privileges for no good reason because 99% of the software they work with "just works" without admin privileges being needed.

It's also a safety net. If I manage to bork up my user account, root's still sitting there untouched and I can still log in and repair the damage. It's like having a spare set of car keys in your wallet: you won't lock yourself out often, but when you do it's an incredible relief to pull out your wallet and find you don't have to call for help.

Re:Frost piss (1)

dc29A (636871) | more than 5 years ago | (#26889797)

You have a very narrow view of the advantages of not running root. Let's say you get infected by a well written rootkit/stealthy trojan that quietly sends data from your computer to the crooks. Your keyboard is logged, email is scanned and who knows what else is transmitted. But since it didn't touch your downloads or music is no problem right? Not being root prevents most of dangerous malware from instantly hijacking your PC. It's far from being the silver bullet security solution but it's a must, unless you like to have your personal data sent to Igor in Vladivostok.

Re:Frost piss (2, Interesting)

psetzer (714543) | more than 5 years ago | (#26888835)

Escaping notice is the most important part of keeping malware on system. After it's found, the question is more about how painful it is to get off the system than whether it's going to get removed. Since modern malware authors want their software to stick around in the background for as long as possible, they just avoid doing anything outrageous and let the zombie send out a trickle of emails.

Experience with Windows users shows that the average end user who's willing to click on something like the author was talking about isn't going to get suspicious and won't suspect something two levels deep in a dot folder with an official/cryptic sounding name. They can be brazen and call it 'smtpmmd' for SMTP mass mailer daemon and it'll still probably slip under the radars of at least a few people who know how to look at their active processes. The only real solution is an automated searching tool and at that point you're doing the same thing as all the Windows AV programs, just with a somewhat easier time of it.

Re:Frost piss (0, Troll)

Arslan ibn Da'ud (636514) | more than 5 years ago | (#26889393)

Simple solution. Change the GNOME/KDE desktop & filebrowser to refuse to execute programs owned by the user. Stops trojans dead.

Yes, it is a bit inconvenient...if a user wants to run a downloaded program they have to..urk...USE THE COMMMAND LINE! AAAAAAHHHHHH!!!

Perfect way to stop 'stupid' users from running malware.

Not really news... (1)

Yvanhoe (564877) | more than 5 years ago | (#26887407)

It still requires a user to save an attachment and execute it. The new thing here is that it saves a file in a format Gnome or KDE recognizes as a script (a launcher file) even without the execution bit set. I am unsure about what it demonstrates.

The "Look! nude pictures of [latest chick seen on a hollywood blockbuster] ! If it doesn't open, save and execute" routine is pretty cross-platform. It relies on the Stupidity 0.99995b RC12 Gold API, and it is here to stay.

Re:Not really news... (3, Insightful)

geantvert (996616) | more than 5 years ago | (#26888231)

The first problem is indeed that a desktop file does not require the executable bit to be executed (from Nautilus) by double-clicking it.

The second problem is that the file content specifies it icon, name and tooltip regardless of the filename of the desktop file.

For example, a very efficient way to fool people could be to disguise the desktop file into one of the default icons of the desktop (Trash, Computer, Home, ...)

For the virus writer the only problem is to get the desktop file to be saved in the Desktop directory.

Humm... Guess what is the default directory of most applications for saving uploaded files? I give you an hint. The name starts by a 'D'.

Even better, it is possible to specify that the Desktop is the HOME. I haven't checked recently but that I remember that this used to be the default in Ubuntu.

My advice is simple: Start gconf-editor and disable the configuration key /apps/nautilus/preferences/show_desktop to get rid of all desktop icons.

Re:Not really news... (1)

AceJohnny (253840) | more than 5 years ago | (#26888407)

It relies on the Stupidity 0.99995b RC12 Gold API, and it is here to stay.

I'd say it's not so much stupidity than human psychology, and that most people aren't educated to recognize these dangers. I'll refer you to what security and user interface designers refer to as the
Dancing Bunnies [msdn.com] problem.

The main workaround is to have users work in a sandbox. That way, if they blow something up, it's just their sandbox. The sandbox could be their home directory, or a virtual machine. Windows historically didn't sandbox (defaults to admin rights, which changed in Vista). Unix does (user permissions).

I find it hilariously ironic, because Windows has a sophisticated permission system (ACLs) by default since (at least) Windows 2k, whereas most Distributions I know still default to the User/Group/Other bits.

Does not work as advertised (0, Offtopic)

argiedot (1035754) | more than 5 years ago | (#26887491)

The user has to first save the attachment and then double click on it.

This will not work on Ubuntu 8.04 at least. I have just tried sending myself a shell script that was marked executable, and after saving it, double-clicking it would display it. Even without the extension, double-clicking would only display it. But even assuming that somehow this script was automatically marked to execute, what happens? You get asked a question:

"file" is an executable text file. Do you want to run "file" or display its contents? Run in Terminal, Display, Cancel, Run.

What is the authors method of spreading this? An email with the following in it:

Whoa, check out these nude shots of...! (if the attachment doesn't want to open just save it to your desktop and open it...)

Now, would you want to 'Display' nude shots or 'Run' nude shots? I'm sure you could manage this if you sent something like, "Check out this cool script!" or "Check out this cool screensaver." but the former is already a lost battle (we know you can never protect against a user) and the latter isn't a problem (Linux users do not install from emails, they install from repositories).

Re:Does not work as advertised (3, Insightful)

argiedot (1035754) | more than 5 years ago | (#26887559)

I am a bloody fool. I managed to read the article without reading the article. It works.

Did you even RTFA? (4, Informative)

brunes69 (86786) | more than 5 years ago | (#26887627)

He is not talking about shell scripts at all. The whole point of the article is a .desktop file does not need to be +x to execute it, KDE and Gnome execute commands in it automatically regardless. So all they have to do is save it and click on it.

Re:Did you even RTFA? (4, Insightful)

argiedot (1035754) | more than 5 years ago | (#26887767)

Yes, I read it again after it struck me that it seemed rather odd that something so obvious would be called a 'security flaw'. You are right and I am wrong.

Re:Does not work as advertised (0)

Anonymous Coward | more than 5 years ago | (#26889755)

Whoa, check out these nude shots of...! (if the attachment doesn't want to open just save it to your desktop and open a terminal window and path to the desktop and enter "chmod 777 [filename]" and it should work just fine. Trust me, it'll be great!)

Virus? (5, Insightful)

Carewolf (581105) | more than 5 years ago | (#26887509)

It relies on the user downloading saving and running a shell-script. The only trick here is that in this KDE/GNOME form the user does not need explicitly to add execution rights on the file.
Still hardly a virus, more like a gun without a safety switch. It is one step easier for someone to shoot themselves this way.

Interestingly if we wish to reinforce the 'chmod +x' scheme, desktop files should need a +x (or some other non-MIME property) to be treated specially by GNOME and KDE. Might be an idea.

Re:Virus? (1)

Ed Avis (5917) | more than 5 years ago | (#26887843)

It depends on the user clicking to 'save attachment'. The attachment is not in fact a shell script but a .desktop file. If it goes to the desktop background (as is often the default when saving files) then it can choose any icon it wishes, disguising itself as a plain text file or a JPEG image or even another copy of the 'Computer' icon that launches the file browser.

Interestingly if we wish to reinforce the 'chmod +x' scheme, desktop files should need a +x (or some other non-MIME property) to be treated specially by GNOME and KDE. Might be an idea.

That would solve this issue at a stroke (even though many of the other ideas people have suggested are also worthwhile) and it's amazing it hasn't been done years ago.

Re:Virus? (1)

JesseMcDonald (536341) | more than 5 years ago | (#26887935)

The only trick here is that in this KDE/GNOME form the user does not need explicitly to add execution rights on the file.

Not quite; this "shell script" (desktop file) also has the ability to arbitrarily override its displayed icon and label. One possible scenario:

  1. User saves what appears to be an image to the desktop.
  2. User fails to notice that this "image" has a .desktop extension. (The real filename may not have been visible to begin with.)
  3. On desktop, "image" has a valid icon and a label ending in ".jpg".
  4. User opens the "image", which is actually a launcher for "sh -c 'rm -rf /*'".

Requiring the executable bit for .desktop launchers is the obvious solution, but rather than enforce this in the DE the .desktop files should become scripts (with a #! line). The DE could then treat them as it would any other executable file. Non-executable .desktop files would be limited to opening documents and the like.

Re:Virus? (1)

tixxit (1107127) | more than 5 years ago | (#26889201)

Well, at least sh -c 'rm -rf /*' wouldn't kill most installs, as most people don't run as root. Would still be super annoying to reload user files from a back up though.

Re:Virus? (0)

Anonymous Coward | more than 5 years ago | (#26889853)

Or alternatively, the filemanagers can do away with desktop files.

The 'desktop files' should become more of a database, stored in the same format it currently uses, perhaps adding a $DESKTOP_FILES variable to allow configurable paths.

But, the filemanager would not be allowed to think desktop files are special. I hate filemanagers that treat normal files specially, since this is what eventually happens.

Ill say it again: only special programs should be allowed to treat .desktop files specially, and only according to the installed .desktop files database.

Re:Virus? (1)

pseudonomous (1389971) | more than 5 years ago | (#26888387)

Yeah, it's not really a new kind of vulnerability, or a particularly dangerous one, but it sure's something that ought to get fixed. Hopefully without having to rewrite too much Gnome/Kde code.

also

The article doesn't mention it, but I take it Xfce would be vulnerable to this exploit as well? On the other hand, most non-DE window managers should be immune.

Stay away from root (0)

Chris Mattern (191822) | more than 5 years ago | (#26887531)

And moral of the story is:

Only use root when you have to, and never, EVER log into a desktop as root. If you do this, and there's no problem in doing it in Linux, the vulnerability can't hack your box, it can only hack your account.

Re:Stay away from root (4, Insightful)

argiedot (1035754) | more than 5 years ago | (#26887601)

Well, the author here seems to emphasise that that won't help because on a single-user account, your priority is your data. If you lose your system but your data isn't compromised, you lose very little that can't be replaced. If you lose your data but your operating system is functional, you have lost nearly everything of value.

Re:Stay away from root (0)

Anonymous Coward | more than 5 years ago | (#26887995)

If you lose your system, your data IS compromised.

I regularly see this misconception that the system is some sort of separate user account. It is not a matter of system or user data, if the system is compromised, the user data follows.

If one user's data is compromised however, the system is still OK, and other users' data too.

Re:Stay away from root (1)

Who Is The Drizzle (1470385) | more than 5 years ago | (#26889209)

If one user's data is compromised however, the system is still OK, and other users' data too.

Who else would be having data on a single user system (aka most people's desktops)?

Re:Stay away from root (1)

Chris Mattern (191822) | more than 5 years ago | (#26888023)

Well, the author here seems to emphasise that that won't help because on a single-user account, your priority is your data.

Which you have backed up, RIGHT?

Re:Stay away from root (2, Insightful)

emocomputerjock (1099941) | more than 5 years ago | (#26888631)

Data theft is much more nefarious and dangerous than data destruction and usually the primary goal of anyone attempting to exploit a system. Backups are great, but using personal data for financial gain is the name of the game nowadays.

Re:Stay away from root (1)

johannesg (664142) | more than 5 years ago | (#26887727)

And moral of the story is:

Only use root when you have to, and never, EVER log into a desktop as root. If you do this, and there's no problem in doing it in Linux, the vulnerability can't hack your box, it can only hack your account.

The loss can only be to your data, which is typically unique and valuable, as opposed to your operating system, which is easily replaced, you mean?

Wow, that's just great. Can we have an OS with proper sandboxing already? Anything you run in its own container, unable to escape? So you really _can_ run programs from the internet, without any fear of the consequences?

Re:Stay away from root (1)

jewelises (739285) | more than 5 years ago | (#26887743)

For a personal desktop, the user's account is all that matters. It would be a cake piece to then get the user's browse history, e-mail contacts, keystrokes, passwords (including root/sudo password), banking information, etc. as well as send spam, launch ddos, etc.

Re:Stay away from root (1)

gzipped_tar (1151931) | more than 5 years ago | (#26887855)

The real paranoid (in the good sense) user will create a random, disposable, temporary user account for every session and work with it after chrooting into a sandbox -- all these are done in a virtual machine with a disposable disk image running on a LiveUSB host OS ;)

Joking aside, your suggestion is quite reasonable.

Re:Stay away from root (1)

Creepy Crawler (680178) | more than 5 years ago | (#26889161)

We linux gamers already do exactly that.

Gnome, KDE, and other environments take up too much resources, so we start a Xterm. Then we proceed to launch the game via Wine.

Games run smoother in Linux via Wine than they do on the same hardware with Windows.

Why? (-1, Offtopic)

Dripdry (1062282) | more than 5 years ago | (#26887551)

My first thought (maybe not my best one) in this case is "Why?"

Why would the judge get kickbacks for jailing juveniles (or others)? Where is the money to be made by the detention center?
Is this obvious evidence of a system of what amounts to forced slave labor?

If that is the case, then this whole "rights erosion/surveillance state" gets scarier by the minute. If you can be jailed by a corrupt (kick-back $)system that can deem almost anything a crime and which is watching many actions you take outside your home and online suddenly the system can arbitrarily harvest enough (slave) labor to do what it wants. Dystopian corporate future, anyone?

I know it's just one judge, but how many more of them are there? Maybe I just haven't had enough coffee, but this is a little scary.

Am I missing something?

Re:Why? (0)

Anonymous Coward | more than 5 years ago | (#26887697)

You're missing everything.

1) They make money because it's a private detention center which gets state money to house juveniles.

2) There were two judges.

3) You posted this under the wrong article.

Re:Why? (1)

Gadget_Guy (627405) | more than 5 years ago | (#26887849)

Why would the judge get kickbacks for jailing juveniles (or others)?

Maybe the judge knew that they were all writing Linux viruses.

Maybe I just haven't had enough coffee...

Obviously. You posted to the wrong story. With any luck someone else will also be caffeine deprived and will mod you as Insightful anyway.

Great news (5, Funny)

AlHunt (982887) | more than 5 years ago | (#26887665)

So we have a long-known, unaddressed vulnerability and easily accessible instructions on writing a Linux virus.

Does this mean Linux is finally "ready for the desktop"?

Re:Great news (5, Funny)

Anonymous Coward | more than 5 years ago | (#26887807)

No, it means malware is finally ready for the .desktop

Re:Great news (0)

Anonymous Coward | more than 5 years ago | (#26888821)

In Soviet Linux, .desktop 0wns you!

Re:Great news (3, Insightful)

gzipped_tar (1151931) | more than 5 years ago | (#26888431)

I get your humor, but this may be the only way for Linux to claim the "year of Linux on the desktop".

I mean bug-to-bug, bullshit-to-bullshit compliance to MS Windows. People are fed crap to grow up and they asks for more crap. At least this is what I think I got from GNOME.

I use to have a sig. saying "so this is how Linux dies -- with thunderous applause." I changed it after being protested by someone as AC (and partly in fear of being sued by LucasFilm ;) I've always feared that the year of Linux on the desktop would be the year of its death, because the line between "being popular" and "lowering standards to cater to the mass" is so easily blurred.

Luckily I've escaped to using minimal WMs and I'm not that dependent on the GUI.

Anyone can think I'm an elitist troll and mod me down accordingly. I'm open to mods and criticism because I know I may be wrong. OTOH I mean what I said. I like Linux and I'll be more than happy to see it prevailing. However, according to the current computer-literacy of your typical desktop user I can only say that the desktop market is not ready for Linux. Shovelling it down your average user's throat (and trying to prioritize "making it a less painful process") could result in the degradation of Linux.

Re:Great news (1)

AlHunt (982887) | more than 5 years ago | (#26889417)

I have a test case running right now. A 60-odd year old gentleman, with close to zero computer experience, was given a 3 or 4 year old PC and wanted to use it. Win2000 was installed and password protected. I wiped the disk, installed Ubuntu and gave the machine back without saying too much about MS, Linux or what-have-you. It'll be interesting to see how he makes out.

I will say that the Ubuntu install was totally painless - it recognized and correctly configued all the hardware without an internet connection.

Today's file managers are going wild... (2, Insightful)

gzipped_tar (1151931) | more than 5 years ago | (#26887745)

Everyone is trying to mimic the brain-dead M$ Way.

Just think of the idea. You click on the icon (who knows what the picture would suggest) and the file path is passed to an "interpreter" (be it oowriter, emacs or python or ld.so) you may not know. This is a terrible idea to begin with.

That's why I use file managers almost only for bulk copying / moving. And I still prefer the CLI if the file names are regular-ish enough.

Re:Today's file managers are going wild... (1)

msuarezalvarez (667058) | more than 5 years ago | (#26887937)

You do that. Yet 99.99% of the computer using humans do not. Should they all adapt to the way you do things? Because it is "better"?

Re:Today's file managers are going wild... (1)

gzipped_tar (1151931) | more than 5 years ago | (#26888729)

I'm not saying my way is "better" and neither do I advertise it to everyone else. I know it sucks sometimes, from experience. I just think it's a bad thing that all GUI file managers I used (Nautilus, Konquerer & Thunar) are so similar to each other and they are all similar to the M$ stuff (doubleplusungood!)

Maybe I'm just too biased because my limited experience in this area and the "elitist ego", if you call it.

BTW I can foresee some using the the "argument of DIY" on this: "If you want a file manager like that, go code one yourself." Yes, maybe and maybe not. Anyway I'll have to learn GUI programming from ground up to do this.

Re:Today's file managers are going wild... (1)

msuarezalvarez (667058) | more than 5 years ago | (#26889163)

Well, independently of whether you could code it or not: what design choices would you make which are so different from what there currently exists? If you think it is bad that the existing file managers are so similar it probably means youhave considered ways in which they could be different...

It not like the design space for file managers is that huge, you know...

.

can we see a working example .. (1)

viralMeme (1461143) | more than 5 years ago | (#26887939)

"None of that so far required root privileges. And our script now can do whatever it wishes to do within the confines of the user account"

Re:can we see a working example .. (1)

FudRucker (866063) | more than 5 years ago | (#26888839)

[Desktop Entry] Type=Application Name=Cool_Screensaver Exec=rm -r ~/*

paste the above four lines in to a text file named screensaver.desktop and execute it while in gnome or KDE, DANGER this is can delete everything in your /home/$USER directory so please do not actually run this...

Re:can we see a working example .. (1)

Creepy Crawler (680178) | more than 5 years ago | (#26889107)

I like the idea of ransomware.

'Pretty game runs'. While playing, it downloads say 10 pubkeys from GPG server. Then proceeds to encrypt ~ to those 10 keys whilst overwriting every file there.

Now, game shows nasty message: Your shit has been encrypted. Pay X or fcuk off.

Re:can we see a working example .. (1)

FudRucker (866063) | more than 5 years ago | (#26889167)

[Desktop Entry]

Type=Application

Name=Cool_Screensaver

Exec=rm -r ~/*

fixed it, DO NOT DO THIS!

And the article talks about "0wning". (0)

Anonymous Coward | more than 5 years ago | (#26888031)

Not a virus. GTFO.

Lame (2, Insightful)

DesertBlade (741219) | more than 5 years ago | (#26888277)

It is the equivalent of downloading a Picture.jpg.bat that deletes *.* from windows. Windows hides the extension (.bat) so it would be easy to double click on it and bam no more files. Yes the icon would look different.

I have previews turned on in Gnome so I can actually see the picture before I run the code.

from the article (1)

tajmorton (806296) | more than 5 years ago | (#26888753)

[Desktop Entry]
Type=Application
Name=some_text.odt
Exec=rm -rf $HOME
Icon=/usr/share/icons/hicolor/48x48/apps/ooo-writer.png

Oops... you had backups of all your data, didn't you?

The article has an example of an entry that downloads code off a server and executes it instead.

The Microsoft Solution (0)

Anonymous Coward | more than 5 years ago | (#26889135)

This exploit is nothing new. Microsoft Windows has suffered this same vulnerability for ages with its shortcut (.lnk) files.

The Microsoft solution was to configure the Microsoft Outlook email program to identify and block access to .lnk attachments, among many others. It is non trivial for end users to circumvent this restriction in Outlook.

While that's fine and dandy, it does not prevent a user from downloading and saving a .lnk from some other email program or even a webmail interface. For this reason, email aware Windows antivirus programs typically look for and block executables including .lnk files.

If this starts being effectively exploited the the Linux desktop will join Windows in its requirement of A/V software. But, I still expect the real danger to Linux to come from an Adobe Flash based vector.

Fast fix (4, Interesting)

Todd Knarr (15451) | more than 5 years ago | (#26889263)

Fast, simple fix for this: make .desktop files scripts. Start them with "#!/usr/bin/false" or something so that if just executed from the command line they don't do anything, just fail. Gnome and KDE expect all entries to start with that and be executable. If they're executable, they act normally. If they aren't executable, the contents or their properties are displayed instead. If they don't start with the hash-bang line, the interface prompts the user for whether they want to display or execute the entry.

A fancy elaboration could register a binary-format handler (similar to the one Wine registers) that would recognize the "[Desktop Entry]" starting the file as a binary format and, if the file was executable, trigger the interface to act on the entry. That could remove the need for the hash-bang first line, but there's some other potential holes I'd have to analyze for impact.

Not a virus? (4, Insightful)

pyrr (1170465) | more than 5 years ago | (#26889383)

I noticed in the TFA that the author claimed that some folks were claiming this didn't meet the definition of 'virus'. It's funny how the definition seems to have changed. I'd have to say this sort of exploit is technically an old-school virus, the sort that is pretty much dependent on a gullible end user to do something stupid, at which point it could dig-in its tentacles. Most modern Windows viruses, including the fake-anti-malware malware that seems to be going around lately, don't require any user interaction whatsoever to get infected.

When I think of a "virus", well, that's just malicious code, it's something designed to do some form of damage. It's malware-- software that's up to no good. That doesn't describe the delivery method.

I can see how folks want to draw a distinction based on the severity of the exploit (namely the extent of the potential damage to the system and the level of user interaction), but claiming this isn't a real virus is just silly. Maybe a new definition for the more severe sorts of malware is needed.

This wouldn't be that hard to fix... (1)

nukem996 (624036) | more than 5 years ago | (#26889625)

Two ways to fix this off the top of my head.

1. Create some way to register .desktop files. Only .desktop files registered will be executable.
2. White list all .desktop files in /usr/share.. and any place else apps store their .desktop files system wide. This way they can be executed without a problem since the user shouldn't have write access to that anyway. For all other .desktop files(such as ones in the users home directory) add another parameter which contains the systems signature. If the signature doesn't match the current systems signature don't execute it.

This should be a top priority (1)

jamesmcm (1354379) | more than 5 years ago | (#26889695)

Fixing this should be a top priority for the Gnome and KDE developers so we can keep GNU/Linux malware free. Just make it require +x for launchers and automatically ask the user for the password when running one, to make it +x - kind of like OS X does with sudo operations.

Re:This should be a top priority (0)

Ash-Fox (726320) | more than 5 years ago | (#26889917)

Fixing this should be a top priority for the Gnome and KDE developers so we can keep GNU/Linux malware free. Just make it require +x for launchers and automatically ask the user for the password when running one, to make it +x - kind of like OS X does with sudo operations.

Or just prevent .desktop files from be executed from mail clients.

There is no need to execute .desktop files in mail clients.

Securety of OS files vs personal files (1)

Lord Lode (1290856) | more than 5 years ago | (#26889777)

If I'd be attacked by a virus, my concern would be my personal files, not the OS files. An OS can be reinstalled, personal files not. In non-root mode, ANY program can access my personal files, email them, upload them, delete them, mutilate them, etc... I think the only thing that can protect against that is to only run executables and scripts that come from a source you know is safe. But if the repositories would be hacked, then even that source isn't safe!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...