tag:blogger.com,1999:blog-3024470480937744884.post9104260779760327192..comments2024-03-18T04:40:58.042-07:00Comments on Security: [0day] [PoC] Risky design decisions in Google Chrome and Fedora desktop enable drive-by downloadsChris Evanshttp://www.blogger.com/profile/01004765479735675808noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-3024470480937744884.post-66918394652691418662016-11-23T05:56:30.393-08:002016-11-23T05:56:30.393-08:00Hello, Tracker maintainer here.
While it may be a...Hello, Tracker maintainer here.<br /><br />While it may be a valid point of debate whether indexing the Downloads folder by default or not, I think this post has *lots* of handwaving:<br />- First, you soon point to the problem being in a "Fedora choice", it's not. To trigger this specific bug you needed to install and run software from two different third party repositories (rpmfusion and google). Sorry, your warranty is void.<br />- Second, remember it's a *default*, users can configure this (or disable file indexing entirely) in the control center. If you think it's far fetched, it's just as much as it is installing software from third party repos.<br />- Third, this is not a 0day, there is no exploit. Furthermore, the GStreamer guys were extremely fast in fixing it. You could claim that other libraries used for metadata extraction are just as insecure, but that'd really be bugs in these libraries to fix. If a library is vulnerable then the exploit is latent anyway, be it Tracker, a thumbnailer, a previewer or a video player who stumbles on it. And anyway, until there's a real exploit that may trigger this way on a default Fedora install, I'll hear you crying wolf.<br /><br />Going further, we could deem every file a potential exploit, and every running application a potential information leech. There's this flatpak sandboxing infrastructure which the GNOME desktop (and Tracker specifically) is committing to, if you had bothered contacting the affected upstreams you might know a proper solution is on the works.<br /><br />Also, nice work agitating the zealots...Carlos Garnachonoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-46996252740692028242016-11-23T01:02:16.919-08:002016-11-23T01:02:16.919-08:00(in)Security culture and corporate culture are tak...(in)Security culture and corporate culture are taking hold of Linux and open source, that' why. They've already destroyed the open culture in the late nineties, are they at it again ?<br /><br />Why else would systemd get pushed and accepted while it breaks so much of the Linux/Unix philosophy ? Exploitation vectors such as these are proof the open source model is only vaguely implemented when it comes to operational security.<br /><br />On the other hand, what would the world look like if an impenetrable desktop would emerge ? Would anyone want that ?Jarthnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-24290229921832755302016-11-22T07:16:01.591-08:002016-11-22T07:16:01.591-08:00Bugs like this are the primary reason why Tracker ...Bugs like this are the primary reason why Tracker extracts metadata from files in a separate tracker-extract process. That process runs entirely in the background, and chances are very high that a crash won't affect a user-facing application. For example, Chrome didn't crash as a result of the tracker-extract crash.<br /><br />For a user-facing application to crash, it has to run gstreamer's vmncdec in-process. That is why totem crashes if you try to run this file.<br /><br />Forget Tracker. The way things stand today, someone can potentially exploit Firefox (and lot of other software) to steal your private keys, or spy on your using the laptop's camera. I believe the long term answer involves:<br /><br />(a) Sandboxed Flatpak (http://flatpak.org/) applications. So that any random application on the computer can not perform any potentially suspicious activity behind the user's back.<br /><br />(b) Portals that act as gatekeepers to such resources (like network, camera, files). I can imagine a 'import from web browser' portal that will explicitly let you select a file from the web that you want to expose to the rest of the desktop.Unknownhttps://www.blogger.com/profile/09422865531232183193noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-9474459159117641502016-11-18T05:21:12.481-08:002016-11-18T05:21:12.481-08:00Hey there, so Windows 10 out of the box is more se...Hey there, so Windows 10 out of the box is more secure as you mentioned - <br />"Although it’s hard to say it, this is not the kind of situation that occurs with a latest Windows 10 default install. Is it possible that Linux desktop security has rotted?"<br /><br />But why did you compare it to not out of the box Fedora ? Fedora does not include Chrome browser or Chrome repo by default, so you actually downloaded 3rd party software that is not officially supported by Fedora and you thought that Linux have easy to find vulnerabilities - <br /> " This was too easy. It should not be possible to find a serious memory corruption vulnerability in the default Linux desktop attack surface with just a few minutes of looking."<br /><br />This is not so much a problem in Fedora or Linux is a problem in Chrome.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-54088690902214646842016-11-18T03:10:08.266-08:002016-11-18T03:10:08.266-08:00Yes, Windows 10 is by far the best OS of this gala...Yes, Windows 10 is by far the best OS of this galaxy. The only reason people use Linux is to find some bugs, because they can be found and fixed - do that with the best OS of the galaxy!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-9179449746942237442016-11-17T16:36:59.593-08:002016-11-17T16:36:59.593-08:00Look at this, its a real hacK and not a crash:
htt...Look at this, its a real hacK and not a crash:<br />http://www.theregister.co.uk/2016/11/10/hackers_remotely_pwn_win_10_microsoft_edge_gain_system_code_exec/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-56952284963373061332016-11-17T12:54:43.218-08:002016-11-17T12:54:43.218-08:00I don't think releasing this 0day is bad style...I don't think releasing this 0day is bad style.<br />I don't expect any vendor to fix the real bug: indexing unknown files from anywhere.<br /><br />Closing the specific codec vulnerability only helps until the next one is found, so the whole concept of indexing all files is broken.<br /><br />Fedora has to fix the whole GNOME3 desktop bundeling in a way to remove single components like gstreamer1-plugins-bad without having 47 other packages remove including kernel-core. <br />Uninstalling tracker "only" removes nautilus, but I don't expect fedora too loosen the dependencies in their desktop. <br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-36792516901966368632016-11-17T12:31:09.996-08:002016-11-17T12:31:09.996-08:00Hanno Boeck's comment is the important one, he...Hanno Boeck's comment is the important one, here.<br />Look at the date of the fix!<br />Disclosure: 15.11.2016<br />Fix: 16.11.2016<br /><br />No piece of software is truly impregnable, bugs happen, things are overlooked. The mayor difference then is the response time. That is what makes "Linux" more secure than Windows. It has been and will surely be this way for a long time.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-52978403175416282302016-11-17T09:54:50.568-08:002016-11-17T09:54:50.568-08:00> Although it’s hard to say it, this is not the...> Although it’s hard to say it, this is not the kind of situation that occurs with a latest Windows 10 default install.<br /><br />Saying this after the myriads of no-go bugs in Windows in the recent years makes me laugh.<br />Are Linux-based Desktop systems perfectly secure? Nope. Did Linux-based systems have their<br />share of security issues recently? Yep.<br /><br />On top, saying that "Fedoras Gnome" is "Linux desktop security" is .. I leave that to you.<br /><br />The icing is the irresponsible behaviour of not only saying that crap above, but also disclosing a 0day without talking to the developers. I expect better of a (albeit previous) part of Googles Project Zero.<br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-18883566756581029962016-11-17T07:30:41.116-08:002016-11-17T07:30:41.116-08:00Nautilus also crashes when the properties of the f...Nautilus also crashes when the properties of the file are shown and possibly the thumbnailer is also affected.<br />Thanks for looking into this. The Linux desktop needs more scrutiny IMO.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-62282343959907803212016-11-17T01:05:55.383-08:002016-11-17T01:05:55.383-08:00FYI, gstreamer upstream has fixed it:
https://cgit...FYI, gstreamer upstream has fixed it:<br />https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/gst/vmnc/vmncdec.c?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31feAnonymoushttps://www.blogger.com/profile/00857218075990031511noreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-4941535760610745562016-11-16T04:49:56.659-08:002016-11-16T04:49:56.659-08:00The same with google exposing other software compa...The same with google exposing other software companies vulnerabilities without giving them time to make a patch.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3024470480937744884.post-79257449819583044012016-11-15T14:12:50.093-08:002016-11-15T14:12:50.093-08:00Exposing security vluns as 0day exploits without a...Exposing security vluns as 0day exploits without allowing vendors to fix them beforehand is a very douchey move.Anonymousnoreply@blogger.com