Submitted via IRC for Bytram
If your desktop runs a mainstream release of Linux, chances are you're vulnerable.
[...] While Evans' attacks won't work on most Linux servers, they will reliably compromise most desktop versions of Linux, which employees at Google, Facebook, and other security conscious companies often use in an attempt to avoid the pitfalls of Windows and Mac OS X. Three weeks ago, Evans released a separate Linux zero-day that had similarly dire consequences.
"I like to prove that vulnerabilities are not just theoretical—that they are actually exploitable to cause real problems," Evans told Ars when explaining why he developed—and released—an exploit for fully patched systems. "Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out."
Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them.
The exploit ending in .flac works as a drive-by attack when a Fedora 25 user visits a booby-trapped webpage. With nothing more than a click required, the file will open the desktop calculator. With modification, it could load any code an attacker chooses and execute it with the same system privileges afforded to the user. While users typically don't have the same unfettered system privileges granted to root, the ones they do have are plenty powerful. Such an exploit can, for instance, read and steal all the user's most personal data, including documents, pictures, e-mail, and chat transcripts. It could also steal the user's browser cookies and sessions for Gmail, Facebook, Twitter, and other sites. It could additionally persist across reboots, although not as stealthily as a root exploit. And as is growing increasingly common, it could be combined with a local root privilege exploit to gain full system rights.
(Score: 2) by opinionated_science on Saturday December 17 2016, @09:03AM
mv /usr/lib/libgme.so.0.5.3 /usr/lib/libgme.so.0.5.3.ZERO_DAY_EXPLOIT_16DEC2016
Seriously, unless there's an exploit triggered by reading a) Soylent News* b) Gmail c) Facebook or even d) Some lame ads you have to let through.
Ad blocking might need to become defensive - or liability should be deployed on the producers....
*) Other news organisations are considered valid.
(Score: 1, Informative) by Anonymous Coward on Saturday December 17 2016, @11:30AM
a) Soylent News*
*) Other news organisations are considered valid.
While I do, sadly, get most of my news from here, calling SN a "news organization" might be a tad overstating it :P
Ad blocking might need to become defensive - or liability should be deployed on the producers....
What do you mean, "might need to become"? Ad blocking has been defensive for a long time now. Huge video ads and unvetted scripts slowing down page loads to a crawl, burning through bandwidth caps, transmitting viruses and trojans, crashing browsers...
Ad blocker is arguably the most important piece of security software these days. Shifting liability might help with that, but it's not very likely to happen.
Unless...
How much ad vetting does Twitter do? Someone should sneak in a trojan that blocks any further access to Twitter after infection. If President Trump gets infected, he's sure to bring down the hammer on advertisers!