Malicious executable code defaults to "Open with", cannot be changed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mozilla Firefox |
Confirmed
|
Unknown
|
|||
Wine |
Fix Released
|
Wishlist
|
|||
firefox-3.0 (Ubuntu) |
Triaged
|
Medium
|
Unassigned | ||
firefox-3.5 (Ubuntu) |
Triaged
|
Medium
|
Unassigned | ||
wine (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: firefox-3.0
Distro: Ubuntu 8.10
Uname -a: Linux rand 2.6.28-8-generic #28-Ubuntu SMP Fri Mar 6 00:09:20 UTC 2009 x86_64 GNU/Linux
apt-cache policy firefox-3.0
firefox-3.0:
Installed: 3.0.8+nobinonly
Candidate: 3.0.8+nobinonly
Version table:
*** 3.0.8+nobinonly
500 http://
500 http://
100 /var/lib/
3.
500 http://
I have accidentally found my way to a web site which has been hacked. Upon exiting the page, a hijacked onunload handler brings me to another site which immediately attempts to download a .EXE file for windows.
Anyone who says that EXE programs are not dangerous on Linux is simply wrong. Wine by default comes with a link dosdevices/z: -> /
What this means is that any windows program can read/write to all files that I have read/write access to. For example, imagine a simple trojan that adds malicious code to all .EXE files on the disk. While this may not be an immedate problem, the next time I boot to my windows partition, my computer will be owned! Or, a virus could just inconspicuously delete or truncate all "unimportant" files (images, documents) on my computer -- And from what I have heard, there are recent malicious programs floating around the internet that do this.
In addition, Wine executables that are designed with Linux in mind (not that much of a stretch), could launch arbitrary code, even in the form of a ELF binary if necessary, followed by installing a keylogger or pretty much anything even if it wasn't possible using windows-only code.
While I am understanding of the chain of events leading to the EXE download (there is nothing Firefox can do about me going to a malicious website), there are a number of problems (I have attached a screenshot so you can see what I mean):
1) The Dialog box marks "Open with wine" as default,
2) It does not have a countdown timer! So any page that asks you to fill in a text box and hit enter, could cause you to run an arbitrary .EXE using wine by initiating the download at exactly the right time.
3) The "Use this as default" box is greyed out, so I am not only unable to remove wine as my default, but I cannot tell it to always save these files to disk, or *something* that does not involve immediately compromising my user account.
All of these together mean not only that I am vulnerable to accidentally clicking the wrong button when trying to cancel out of this malicious webpage, but that I am unable to prevent this from happening in the future. I believe this is a critical bug for anybody who has both Firefox and Wine installed on the same system, as it leads to arbitrary code execution under circumstances that are not too much of a stretch.
(For anybody interested in the specific website, the URL that I was referred to on the "onunload" handler in the hijacked page shows up in the download window screenshot--I don't want to paste it here.)
I don't know what the right solution is here, but I would personally like to see some serious review go into the default MIME types and helper applications. This is the reason that I am reporting the bug here rather than upstream. Mozilla Firefox has no control over the defaults that the Distro provides, and the simplest solution for now is to change the default mime handlers so that you don't end up with "open with wine" as a default anywhere.
Also, while this isn't productive to this specific discussion and I am merely preaching to the choir, I would like a GUI that allows normal users to see the *full* list of file extensions and their associated programs, so that you can make conscious decisions about file types rather than only relying on defaults. I'm talking about Edit->Preferenc
If not this, I would at least like to see a "Change the default" option that isn't sometimes mysteriously greyed out. Again, it isn't Ubuntu's place to add such a feature, so this might be worth reporting to upstream.
visibility: | private → public |
Changed in firefox-3.0 (Ubuntu): | |
status: | New → Confirmed |
Changed in wine (Ubuntu): | |
status: | New → Confirmed |
Changed in wine (Ubuntu): | |
importance: | Undecided → Medium |
Changed in firefox-3.0 (Ubuntu): | |
importance: | Undecided → Medium |
Changed in wine: | |
status: | Unknown → Confirmed |
Changed in wine: | |
status: | Confirmed → Fix Released |
Changed in wine (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in firefox: | |
status: | Unknown → Invalid |
Changed in firefox: | |
status: | Invalid → Unknown |
Changed in firefox: | |
status: | Unknown → Confirmed |
Changed in wine: | |
importance: | Unknown → Wishlist |
Changed in firefox: | |
importance: | Unknown → Medium |
Changed in firefox: | |
status: | Confirmed → Unknown |
Changed in firefox: | |
status: | Unknown → Confirmed |
information type: | Public Security → Private Security |
information type: | Private Security → Public Security |
Changed in firefox: | |
importance: | Medium → Unknown |
I guess that's not the job of Firefox. Wine should let check if it's a virus..
You can also choose with which application the exe will be opened.