.desktop files, serious security hole, virus-friendliness
Dave Cridland
dave at cridland.net
Mon Apr 3 18:10:45 EEST 2006
On Mon Apr 3 15:59:16 2006, Rodney Dawes wrote:
> On Mon, 2006-04-03 at 15:24 +0100, Scott James Remnant wrote:
> > On Mon, 2006-04-03 at 09:48 -0400, Rodney Dawes wrote:
> > > > On Sun, 2006-04-02 at 22:29 -0700, Sam Watkins wrote:
> > > > 1. do you agree that this is a serious security problem?
> > > > > I don't think it is a serious security problem. While it
> does expose
> > > the ability to run shell commands from the .desktop file, it
> doesn't
> > > seem likely that many people will do it. I mean, Windows has had
> > > shortcut files which are pretty much exactly the same as our
> .desktop
> > > files, and you never hear of anyone doing specific attacks like
> you
> > > suggest would be done. There are much more interesting ways to
> do them,
> > > than to have a .desktop file with an icon/label that lies about
> itself.
> > > > Uh, PIF file attacks were very common for a long time in
> Windows.
>
> Uhm. They weren't actually PIF files. They were executables with
> the .pif extension.
Are you absolutely sure about that? Because PIF files could contain
executable code and all sorts, but weren't themselves executable
programs as such, I thought. I'm not certain about that either,
though.
> The same thing was done with .scr, which Windows
> uses for screensavers.
But having written a screensaver or two for Windows, I do recall that
these are definitely executables all the time. The different
extension is purely there to indicate which executables are actually
screensavers.
Dave.
--
You see things; and you say "Why?"
But I dream things that never were; and I say "Why not?"
- George Bernard Shaw
More information about the xdg
mailing list