Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities

Slashdot reader KiloByte warned us about new exploit for .MSI files named "bad taste". Neowin reports: A now-patched vulnerability in the "GNOME Files" file manager was recently discovered which allowed hackers to create dodgy MSI files which would run malicious VBScript code on Linux... Once Nils Dagsson Moskopp discovered the bug, he reported it to the Debian Project which fixed it very rapidly. The GNOME Project also patched the gnome-exe-thumbnailer file which is responsible for parsing MSI and EXE files inside the GNOME Files app... If you run a Linux distribution with the GNOME desktop it's advisable to run the update manager and check for updates as soon as possible before you become affected by this critical vulnerability.

"Bad taste"

[Anonymous Coward]

Well! That certainly explains systemd!

WTF?

[Anonymous Coward]

Who infected the festering heap that is Gnome to run VBscript?

Re:WTF?

[arglebargle_xiv]

Oh for fsck's sake, we're now virus-compatible with Windows?

Requires WINE?

[HalAtWork]

How exactly does the VBScript execute on a default Linux distro? Can anything other than VBScript get injected?

Re:

[Nutria]

Not just Wine, but also Winetricks.

From http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html/ [dieweltistgarnichtso.net]:

If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.

Re:Requires WINE?

[KiloByte]

Nope, Wine itself is enough, at least on installations which I looked at.

In the other hand, the exe thumbnailer is not an official Gnome project but comes from Ubuntu -- so with all of Gnome's insanities, this one is not their fault.

Yes/No/Maybe

[iYk6]

It looks like it might execute on a default distro, but it depends which packages you have installed. A heavy distro such as Ubuntu might have these packages by default.

The summary has a link to a good description of the bug from the bug's founder. It looks like the poorly written line is specifically intended to execute VBScript, so I doubt you could use another scripting language or executable binary. However, you could use VBScript to write arbitrary content to .bashrc, which you could cause to download

Re:

[alvarogmj]

It's a shame you posted this as an AC, because most people won't see it by default.

I fully agree with the 5 points you mentioned, and I write this as somebody who has written his share of hundred-lines-long shell scripts. Point 5 is the first thing I thought when I read the description of the problem: "why the hell are you trying to parse an MSI just to show an icon, while in Linux? what is the benefit of doing it?".

Another idea is: did this code pass a code review? I know this is open source and people wor

Mission Accomplished!

[nt2ldap]

Looks like the Gnome Project has finally arrived: after years of bending and twisting to get Windows-like behavior out of the Linux desktop (you know, the "sad face" screen that appears when it crashes, oh wait... that would be MacOS!), they've finally done one better -- made Linux vulnerable to Windows malware. This time the trade off was decorations for security. Having already banned smb from our networks, we thought we were safe. Maybe it's time to look for a new DE. I think twm is still in the Fedora repo...

Linux is nothing but a disappointment these days.

[Anonymous Coward]

I'd been a Linux user for a very long time. I'd started with Yggdrasil before moving to Debian. For most of the 1990s and even up until about 2008 or 2009, I felt proud to use Linux.

During that period I used to watch friends, family and coworkers use Windows. They'd suffer from BSODs. They'd suffer from malware infections. But my Linux installations were the opposite. I never experienced crashes. I never experienced security problems. Linux of that era was robust and trustworthy.

But those days are long gone

Re:

[Anonymous Coward]

Your comment is a good example of why open source software in general is in such a sad state these days. When long time users point out very real and very unacceptable problems involving open source software, they're immediately mislabeled as "trolls", or they're attacked in some other way.

We've seen this within the Firefox community. We've seen this within the GNOME 3 community. We've seen this within the systemd community. We've seen this with the Debian community.

It shouldn't surprise us that things have

This vulnerability is inexcusable.

[Anonymous Coward]

This was a VBScript exploit affecting GNOME and Linux in 2017. Think that through. Let it sink in.

Just because it may have been fixed doesn't make this incident acceptable.

It never should have happened in the first place!

Everything about this incident is wrong, and extremely shameful.

It is an indication of just how rotten the Linux and GNOME development communities have gotten lately.

Re:

[thegarbz]

When long time users point out very real and very unacceptable problems involving open source software, they're immediately mislabeled as "trolls", or they're attacked in some other way.

No. You're not a troll and long time users aren't trolls either. What you are is a classic textbook case of someone resistant to any form of change to the point where change is bad so you can't see why a change occurred and thus obscure the good that has occurred because of it. Not only that with this typical example you end up with an increasingly rose coloured view of the past.

Go ahead. Fire up that Linux distro from the 90s. IF you can get your network card going on that ancient kernel, IF you can get yo

Re:Linux is nothing but a disappointment these day

[Anonymous Coward]

Linux of that era was robust and trustworthy.

It wasn't, you just believed that it was.

Grab a fresh install of that vintage, and the NSA and every script kiddie from here to eastern Europe will have three dozen working exploits for it.

Linux at the time was a VERY unimportant target. It wasn't established in the server space yet, and it was all but zero percent of the desktop. It wasn't worth bothering with.

Now that it is, if you use a Linux of that vintage it can be pwned with little more difficulty than Windows 95.

Any OS requires constant security updates to stay in the game.

Re:Linux is nothing but a disappointment these day

[sombragris]

I'd suggest you use Slackware. Solid and stable like a rock; and also, fast. The price to pay is that you usually should have a modicum of technical competence; which you appear to possess, given the distro history you claim. Try it; if you really are disappointed by what you mention in your comment, chances are these are nonexistent or highly mitigated in Slackware (for example, there's no systemd; init is a simple, easy to understad BSD init with a SysV compatibility layer for those who would want it).

Re: Linux is nothing but a disappointment these da

[Brockmire]

My experience with Linux has been the opposite going back to the 90's. Finding drivers and building kernels was a major fucking pain. I'd spend weekends trying to get a distro running, only to have a few showstoppers. Everything was command line shit. Everything required modification. You didn't just end up with a 30 minute install with all drivers installed with default install media. Video capture was a fucking nightmare. I remember Ubuntu at work couldn't be upgraded or backed up for having too many f

What the heck?

[93 Escort Wagon]

Admittedly it's been over a decade since I used a desktop version of Linux, but - is the ability to run VBScript part of the default Gnome installation nowadays? And, if so... what idiot (or group of idiots) decided that was a good idea?

Re: What the heck?

[Zero__Kelvin]

No. It isn't the default. You need to install wine. IOW if you are using Linux, and not adding support for Windows garbage, then you have nothing to worry about.

Re:

[chipschap]

The other important point to note is that the vulnerability has already been patched. Not security by obscurity, not denial, not "we'll fix it on Patch April Fool's Day" --- it's done.

Re:

[Zero__Kelvin]

Another interesting thing to note is the morons latching on to this one already fixed issue and claiming it means Linux is dead and all the good developed are moving or have moved to Windows :^)

Here's why it works:

[GerbilSoft]

gnome-exe-thumbnailer is a shell script that uses Wine to do the actual thumbnailing. The script uses Wine's VBScript interpreter to run a small VBScript to extract the icon.

The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.

Re:

[Anonymous Coward]

The script uses Wine's VBScript interpreter to run a small VBScript to extract the icon

... why?

Re:

[0123456]

A better question is, why do we need thumbnail preview at all? It's a huge attack surface that doesn't even require you to open a file to get infected. Not to mention a huge performance hog.

Oh, yeah, because Windows has been doing it for years.

Re:

[tlhIngan]

A better question is, why do we need thumbnail preview at all? It's a huge attack surface that doesn't even require you to open a file to get infected. Not to mention a huge performance hog.

Oh, yeah, because Windows has been doing it for years.

Well, thumbnail previews are helpful for the common case of a collection of photos in a directory. Perhaps you're totally organized and categorize the heck out of every digital photo you take, but most people are not, and it's nice to open a folder of photos and quick

Re:

[GerbilSoft]

Looking through gnome-exe-thumbnail, it overlays the program's version number on top of the icon. Windows doesn't do this, but Windows Explorer will show the program version in the properties panel on the bottom of the window and in the file properties page.

Re:

[HyperQuantum]

The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.

This looks to me like the script equivalent of an SQL injection attack. In an SQL injection, unverified text is copied into an SQL query, which allows an attacker to execute arbitrary SQL commands. In this 'bad taste' vulnerability, a filename (which can contain almost any possible character) is copied into a small VB script, allowing an attacker to execute arbitrary VB script code simply by giving a file a carefully crafted name.

Aside from the injection vulnerability, this particular version of the attack

One question

[viperidaenz]

Why does a thumbnail extractor have the capability to run any sort of code?