Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities (neowin.net) 16
Slashdot reader KiloByte warned us about new exploit for .MSI files named "bad taste". Neowin reports: A now-patched vulnerability in the "GNOME Files" file manager was recently discovered which allowed hackers to create dodgy MSI files which would run malicious VBScript code on Linux... Once Nils Dagsson Moskopp discovered the bug, he reported it to the Debian Project which fixed it very rapidly. The GNOME Project also patched the gnome-exe-thumbnailer file which is responsible for parsing MSI and EXE files inside the GNOME Files app... If you run a Linux distribution with the GNOME desktop it's advisable to run the update manager and check for updates as soon as possible before you become affected by this critical vulnerability.
Requires WINE? (Score:2)
How exactly does the VBScript execute on a default Linux distro? Can anything other than VBScript get injected?
Re: (Score:2)
Not just Wine, but also Winetricks.
From http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html/ [dieweltistgarnichtso.net]:
If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.
Re: (Score:2)
Nope, Wine itself is enough, at least on installations which I looked at.
In the other hand, the exe thumbnailer is not an official Gnome project but comes from Ubuntu -- so with all of Gnome's insanities, this one is not their fault.
Yes/No/Maybe (Score:2)
It looks like it might execute on a default distro, but it depends which packages you have installed. A heavy distro such as Ubuntu might have these packages by default.
The summary has a link to a good description of the bug from the bug's founder. It looks like the poorly written line is specifically intended to execute VBScript, so I doubt you could use another scripting language or executable binary. However, you could use VBScript to write arbitrary content to
.bashrc, which you could cause to download
Mission Accomplished! (Score:1)
Linux is nothing but a disappointment these days. (Score:1)
I'd been a Linux user for a very long time. I'd started with Yggdrasil before moving to Debian. For most of the 1990s and even up until about 2008 or 2009, I felt proud to use Linux.
During that period I used to watch friends, family and coworkers use Windows. They'd suffer from BSODs. They'd suffer from malware infections. But my Linux installations were the opposite. I never experienced crashes. I never experienced security problems. Linux of that era was robust and trustworthy.
But those days are long gone
Re: Linux is nothing but a disappointment these da (Score:2)
What the heck? (Score:2)
Admittedly it's been over a decade since I used a desktop version of Linux, but - is the ability to run VBScript part of the default Gnome installation nowadays? And, if so... what idiot (or group of idiots) decided that was a good idea?
Re: What the heck? (Score:2)
Here's why it works: (Score:3)
The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.