Ubuntu QA:
BlogBrainstormPackage status
Log in
Ubuntu QA
The Ubuntu community has contributed 16602 ideas, 102352 comments, 2137701 votes
Idea sandbox Idea sandbox
Popular ideas Popular ideas
Ideas in development Ideas in development
Implemented ideas Implemented ideas
Idea #18132: .desktop files can run malware

bug This idea is a duplicate of Idea #18028: Focus on security of .desktop files.
Written by firexq the 19 Feb 09 at 01:31. Category: Security. Related project: Nothing/Others. Status: New
Rationale
A blogger recently described a method to use .desktop files to run malware on unsuspecting users. Whereas executables have popup instructions that alert the user, .desktop launchers run on click and can appear exactly like regular files. This is not a bug; developers describe it as "expected behavior".

http://www.geekzone.co.nz/foobar/6229
Tags: (none)

-22
votes
closed
Solution #2: Add an overlay icon
Written by viraptor the 20 Feb 09 at 17:44.
Simply add a small icon in the corner of the original one - the way windows shortcuts work.

It's the main idea that users run launchers, so blocking that in any way will just cause problems in normal use.

---
I wonder why this solution is voted below 0. Anyone cares to share?

Propose your solution

Attachments
No attachments.


Duplicates


Comments
andruk (Idea reviewer) wrote on the 20 Feb 09 at 09:51
I voted for this, and I wish you all the luck in the world getting this voted up. But, I must point out that as far as I've read, both Gnome and KDE have marked this bug as "Won't Fix". Perhaps this idea getting lots of votes will be enough to change their minds. I hope it does.

This flaw isn't as bad as the WMF flaw in Windows, but it is close. The WMF flaw was a flaw *by design*, as is this.

To me, it should be very apparent if an icon (that's what the user understands it to be) is going to run anything. We are just as vulnerable to malware delivered via social-engineering as Windows and any other operating system out there. This decreases that attack surface, and should be implemented.

viraptor wrote on the 20 Feb 09 at 17:39
'+x' means something is executable by kernel. .desktop files are not "executable". They are data files.
Putting an executable flag on a .desktop file is simply wrong.

.desktop files could simply get a new miniicon overlayed - something like the windows shortcut arrow.

aysiu (Brainstorm moderator) wrote on the 20 Feb 09 at 19:17
The steps required for this theoretical malware are still too much, and once you bring social engineering into the picture (i.e., user ignorance or stupidity), then the machine is basically going to be compromised anyway.

Why don't we just get rid of GDebi, then, too?

AndrewLuecke wrote on the 20 Feb 09 at 23:40
aysiu.. Why aren't perl and other scripts easier to run..

firexq wrote on the 21 Feb 09 at 04:15
Aysiu, I agree that patching up "trick" malware isn't a task to dwell on. However, at present Ubuntu hides the .desktop ending of a file, meaning that it will appear indistinguishable from a normal file until clicked on. Stupid users will always go off running random code and the like, but even a non-stupid user could fall for this. Ubuntu does not provide him suffient information to make an informed decision.


Post your comment