from the so-you-thought-you-were-safe? dept.
Submitted via IRC for Bytram
If your desktop runs a mainstream release of Linux, chances are you're vulnerable.
[...] While Evans' attacks won't work on most Linux servers, they will reliably compromise most desktop versions of Linux, which employees at Google, Facebook, and other security conscious companies often use in an attempt to avoid the pitfalls of Windows and Mac OS X. Three weeks ago, Evans released a separate Linux zero-day that had similarly dire consequences.
"I like to prove that vulnerabilities are not just theoretical—that they are actually exploitable to cause real problems," Evans told Ars when explaining why he developed—and released—an exploit for fully patched systems. "Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out."
Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them.
The exploit ending in .flac works as a drive-by attack when a Fedora 25 user visits a booby-trapped webpage. With nothing more than a click required, the file will open the desktop calculator. With modification, it could load any code an attacker chooses and execute it with the same system privileges afforded to the user. While users typically don't have the same unfettered system privileges granted to root, the ones they do have are plenty powerful. Such an exploit can, for instance, read and steal all the user's most personal data, including documents, pictures, e-mail, and chat transcripts. It could also steal the user's browser cookies and sessions for Gmail, Facebook, Twitter, and other sites. It could additionally persist across reboots, although not as stealthily as a root exploit. And as is growing increasingly common, it could be combined with a local root privilege exploit to gain full system rights.
Related Stories
[...] a few days ago Red Hat Legal provided the permission to ship MP3 encoding in Fedora. [...] it will soon be possible to convert physical media or other formats to MP3 in Fedora without 3rd party repositories.
Previous stories:
The MP3 Format is now Patent Free
0-Days Hitting Fedora and Ubuntu Open Desktops to a World of Hurt
(Score: 2) by butthurt on Saturday December 17 2016, @08:19AM
/article.pl?sid=16/12/13/1535218 [soylentnews.org]
(Score: 3, Informative) by janrinok on Saturday December 17 2016, @02:39PM
Mea Culpa.
I knew that I had read the story, but couldn't see it in the history, and assumed that it was one of the submissions that I had read or from somewhere elsewhere. Going into the corner to stand in abject shame for a few minutes, then I'll probably have a beer....
(Score: 0) by Anonymous Coward on Saturday December 17 2016, @08:28PM
Happens, don't worry friend. And kudos for having the cojones to own up to it.
(Score: 4, Informative) by fishybell on Saturday December 17 2016, @08:22AM
The summary, and linked article, fail to mention that Gstreamer's memory corruption bug being exploited is merely a means to an end. The exploit uses the memory corruption bug to bypass address space layout randomization [wikipedia.org] and data execution prevention [wikipedia.org], which much is a problem that must be fixed in the kernel.
I recommend going to another ars article [arstechnica.com] or straight from the horse's mouth [blogspot.com].
(Score: 2) by opinionated_science on Saturday December 17 2016, @09:03AM
mv /usr/lib/libgme.so.0.5.3 /usr/lib/libgme.so.0.5.3.ZERO_DAY_EXPLOIT_16DEC2016
Seriously, unless there's an exploit triggered by reading a) Soylent News* b) Gmail c) Facebook or even d) Some lame ads you have to let through.
Ad blocking might need to become defensive - or liability should be deployed on the producers....
*) Other news organisations are considered valid.
(Score: 1, Informative) by Anonymous Coward on Saturday December 17 2016, @11:30AM
a) Soylent News*
*) Other news organisations are considered valid.
While I do, sadly, get most of my news from here, calling SN a "news organization" might be a tad overstating it :P
Ad blocking might need to become defensive - or liability should be deployed on the producers....
What do you mean, "might need to become"? Ad blocking has been defensive for a long time now. Huge video ads and unvetted scripts slowing down page loads to a crawl, burning through bandwidth caps, transmitting viruses and trojans, crashing browsers...
Ad blocker is arguably the most important piece of security software these days. Shifting liability might help with that, but it's not very likely to happen.
Unless...
How much ad vetting does Twitter do? Someone should sneak in a trojan that blocks any further access to Twitter after infection. If President Trump gets infected, he's sure to bring down the hammer on advertisers!
(Score: 2) by Arik on Saturday December 17 2016, @01:29PM
I lol'd.
Anyway linux itself is still pretty secure but as more and more people use the word to refer to the whole distribution and userspace has been a race to the bottom for years this sort of thing is completely to be expected.
If laughter is the best medicine, who are the best doctors?