Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug GNOME Linux

Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities (neowin.net) 72

Slashdot reader KiloByte warned us about new exploit for .MSI files named "bad taste". Neowin reports: A now-patched vulnerability in the "GNOME Files" file manager was recently discovered which allowed hackers to create dodgy MSI files which would run malicious VBScript code on Linux... Once Nils Dagsson Moskopp discovered the bug, he reported it to the Debian Project which fixed it very rapidly. The GNOME Project also patched the gnome-exe-thumbnailer file which is responsible for parsing MSI and EXE files inside the GNOME Files app... If you run a Linux distribution with the GNOME desktop it's advisable to run the update manager and check for updates as soon as possible before you become affected by this critical vulnerability.
This discussion has been archived. No new comments can be posted.

Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities

Comments Filter:
  • "Bad taste" (Score:1, Funny)

    by Anonymous Coward

    Well! That certainly explains systemd!

  • WTF? (Score:2, Interesting)

    by Anonymous Coward

    Who infected the festering heap that is Gnome to run VBscript?

  • Requires WINE? (Score:4, Interesting)

    by HalAtWork ( 926717 ) on Saturday July 22, 2017 @04:46PM (#54859229)

    How exactly does the VBScript execute on a default Linux distro? Can anything other than VBScript get injected?

    • by Nutria ( 679911 )

      Not just Wine, but also Winetricks.

      From http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html/ [dieweltistgarnichtso.net]:

      If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.

      • Re:Requires WINE? (Score:5, Informative)

        by KiloByte ( 825081 ) on Saturday July 22, 2017 @05:22PM (#54859351)

        Nope, Wine itself is enough, at least on installations which I looked at.

        In the other hand, the exe thumbnailer is not an official Gnome project but comes from Ubuntu -- so with all of Gnome's insanities, this one is not their fault.

    • It looks like it might execute on a default distro, but it depends which packages you have installed. A heavy distro such as Ubuntu might have these packages by default.

      The summary has a link to a good description of the bug from the bug's founder. It looks like the poorly written line is specifically intended to execute VBScript, so I doubt you could use another scripting language or executable binary. However, you could use VBScript to write arbitrary content to .bashrc, which you could cause to download

  • by nt2ldap ( 724372 ) on Saturday July 22, 2017 @05:01PM (#54859279) Homepage
    Looks like the Gnome Project has finally arrived: after years of bending and twisting to get Windows-like behavior out of the Linux desktop (you know, the "sad face" screen that appears when it crashes, oh wait... that would be MacOS!), they've finally done one better -- made Linux vulnerable to Windows malware. This time the trade off was decorations for security. Having already banned smb from our networks, we thought we were safe. Maybe it's time to look for a new DE. I think twm is still in the Fedora repo...
    • by Anonymous Coward

      I'd been a Linux user for a very long time. I'd started with Yggdrasil before moving to Debian. For most of the 1990s and even up until about 2008 or 2009, I felt proud to use Linux.

      During that period I used to watch friends, family and coworkers use Windows. They'd suffer from BSODs. They'd suffer from malware infections. But my Linux installations were the opposite. I never experienced crashes. I never experienced security problems. Linux of that era was robust and trustworthy.

      But those days are long gone

      • by Anonymous Coward on Saturday July 22, 2017 @05:33PM (#54859381)

        Linux of that era was robust and trustworthy.

        It wasn't, you just believed that it was.

        Grab a fresh install of that vintage, and the NSA and every script kiddie from here to eastern Europe will have three dozen working exploits for it.

        Linux at the time was a VERY unimportant target. It wasn't established in the server space yet, and it was all but zero percent of the desktop. It wasn't worth bothering with.

        Now that it is, if you use a Linux of that vintage it can be pwned with little more difficulty than Windows 95.

        Any OS requires constant security updates to stay in the game.

      • by sombragris ( 246383 ) on Saturday July 22, 2017 @07:23PM (#54859765) Homepage

        I'd suggest you use Slackware. Solid and stable like a rock; and also, fast. The price to pay is that you usually should have a modicum of technical competence; which you appear to possess, given the distro history you claim. Try it; if you really are disappointed by what you mention in your comment, chances are these are nonexistent or highly mitigated in Slackware (for example, there's no systemd; init is a simple, easy to understad BSD init with a SysV compatibility layer for those who would want it).

      • My experience with Linux has been the opposite going back to the 90's. Finding drivers and building kernels was a major fucking pain. I'd spend weekends trying to get a distro running, only to have a few showstoppers. Everything was command line shit. Everything required modification. You didn't just end up with a 30 minute install with all drivers installed with default install media. Video capture was a fucking nightmare. I remember Ubuntu at work couldn't be upgraded or backed up for having too many f
  • Admittedly it's been over a decade since I used a desktop version of Linux, but - is the ability to run VBScript part of the default Gnome installation nowadays? And, if so... what idiot (or group of idiots) decided that was a good idea?

    • Re: What the heck? (Score:5, Informative)

      by Zero__Kelvin ( 151819 ) on Saturday July 22, 2017 @05:30PM (#54859369) Homepage
      No. It isn't the default. You need to install wine. IOW if you are using Linux, and not adding support for Windows garbage, then you have nothing to worry about.
      • The other important point to note is that the vulnerability has already been patched. Not security by obscurity, not denial, not "we'll fix it on Patch April Fool's Day" --- it's done.

        • Another interesting thing to note is the morons latching on to this one already fixed issue and claiming it means Linux is dead and all the good developed are moving or have moved to Windows :^)
  • Here's why it works: (Score:5, Informative)

    by GerbilSoft ( 761537 ) on Saturday July 22, 2017 @05:10PM (#54859311)
    gnome-exe-thumbnailer is a shell script that uses Wine to do the actual thumbnailing. The script uses Wine's VBScript interpreter to run a small VBScript to extract the icon.

    The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      The script uses Wine's VBScript interpreter to run a small VBScript to extract the icon

      ... why?

    • The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.

      This looks to me like the script equivalent of an SQL injection attack. In an SQL injection, unverified text is copied into an SQL query, which allows an attacker to execute arbitrary SQL commands. In this 'bad taste' vulnerability, a filename (which can contain almost any possible character) is copied into a small VB script, allowing an attacker to execute arbitrary VB script code simply by giving a file a carefully crafted name.

      Aside from the injection vulnerability, this particular version of the attack

  • Why does a thumbnail extractor have the capability to run any sort of code?

Your own mileage may vary.

Working...