.desktop files, serious security hole, virus-friendliness

Dave Cridland dave at cridland.net
Mon Apr 3 18:10:45 EEST 2006


On Mon Apr  3 15:59:16 2006, Rodney Dawes wrote:
> On Mon, 2006-04-03 at 15:24 +0100, Scott James Remnant wrote:
> > On Mon, 2006-04-03 at 09:48 -0400, Rodney Dawes wrote:
> > > > On Sun, 2006-04-02 at 22:29 -0700, Sam Watkins wrote:
> > > > 1. do you agree that this is a serious security problem?
> > > > > I don't think it is a serious security problem. While it 
> does expose
> > > the ability to run shell commands from the .desktop file, it 
> doesn't
> > > seem likely that many people will do it. I mean, Windows has had
> > > shortcut files which are pretty much exactly the same as our 
> .desktop
> > > files, and you never hear of anyone doing specific attacks like 
> you
> > > suggest would be done. There are much more interesting ways to 
> do them,
> > > than to have a .desktop file with an icon/label that lies about 
> itself.
> > > > Uh, PIF file attacks were very common for a long time in 
> Windows.
> 
> Uhm. They weren't actually PIF files. They were executables with
> the .pif extension.

Are you absolutely sure about that? Because PIF files could contain 
executable code and all sorts, but weren't themselves executable 
programs as such, I thought. I'm not certain about that either, 
though.

>  The same thing was done with .scr, which Windows
> uses for screensavers.

But having written a screensaver or two for Windows, I do recall that 
these are definitely executables all the time. The different 
extension is purely there to indicate which executables are actually 
screensavers.

Dave.
-- 
           You see things; and you say "Why?"
   But I dream things that never were; and I say "Why not?"
    - George Bernard Shaw



More information about the xdg mailing list