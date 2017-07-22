Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
Bug GNOME Linux

Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities (neowin.net) 16

Posted by EditorDavid from the thanks-Microsoft dept.
Slashdot reader KiloByte warned us about new exploit for .MSI files named "bad taste". Neowin reports: A now-patched vulnerability in the "GNOME Files" file manager was recently discovered which allowed hackers to create dodgy MSI files which would run malicious VBScript code on Linux... Once Nils Dagsson Moskopp discovered the bug, he reported it to the Debian Project which fixed it very rapidly. The GNOME Project also patched the gnome-exe-thumbnailer file which is responsible for parsing MSI and EXE files inside the GNOME Files app... If you run a Linux distribution with the GNOME desktop it's advisable to run the update manager and check for updates as soon as possible before you become affected by this critical vulnerability.

Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities More | Reply

Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities

Comments Filter:

  • How exactly does the VBScript execute on a default Linux distro? Can anything other than VBScript get injected?

    • Re: (Score:2)

      by Nutria ( 679911 )

      Not just Wine, but also Winetricks.

      From http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html/ [dieweltistgarnichtso.net]:

      If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.

      • Nope, Wine itself is enough, at least on installations which I looked at.

        In the other hand, the exe thumbnailer is not an official Gnome project but comes from Ubuntu -- so with all of Gnome's insanities, this one is not their fault.

    • It looks like it might execute on a default distro, but it depends which packages you have installed. A heavy distro such as Ubuntu might have these packages by default.

      The summary has a link to a good description of the bug from the bug's founder. It looks like the poorly written line is specifically intended to execute VBScript, so I doubt you could use another scripting language or executable binary. However, you could use VBScript to write arbitrary content to .bashrc, which you could cause to download

  • Looks like the Gnome Project has finally arrived: after years of bending and twisting to get Windows-like behavior out of the Linux desktop (you know, the "sad face" screen that appears when it crashes, oh wait... that would be MacOS!), they've finally done one better -- made Linux vulnerable to Windows malware. This time the trade off was decorations for security. Having already banned smb from our networks, we thought we were safe. Maybe it's time to look for a new DE. I think twm is still in the Fedora r

    • I'd been a Linux user for a very long time. I'd started with Yggdrasil before moving to Debian. For most of the 1990s and even up until about 2008 or 2009, I felt proud to use Linux.

      During that period I used to watch friends, family and coworkers use Windows. They'd suffer from BSODs. They'd suffer from malware infections. But my Linux installations were the opposite. I never experienced crashes. I never experienced security problems. Linux of that era was robust and trustworthy.

      But those days are long gone

  • Admittedly it's been over a decade since I used a desktop version of Linux, but - is the ability to run VBScript part of the default Gnome installation nowadays? And, if so... what idiot (or group of idiots) decided that was a good idea?

  • Here's why it works: (Score:3)

    by GerbilSoft ( 761537 ) on Saturday July 22, 2017 @06:10PM (#54859311)
    gnome-exe-thumbnailer is a shell script that uses Wine to do the actual thumbnailing. The script uses Wine's VBScript interpreter to run a small VBScript to extract the icon.

    The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.

Slashdot Top Deals

Computer programs expand so as to fill the core available.

Close