Public bug reported: Binary package hint: nautilus
Nautilus can facilitates trojans in conjunction with wine. Scenario. User eg newbie to linux attracted by ease of use of ubuntu, decides to use wine for some favoured Windows tm programs discovers need to use cli for installing programs can be avoided using the nautilus "Open with ...wine" feature. Some time later user receives the following from a very familiar contact in gaim .... (21:51:12) taggs: lol someone has put a pic of u online :P http://kaikau.ka.funpic.org/index.php?pic2038.jpg As it turns out the "jpg" file is a windows excutable trojan (easily recrafted crafted for an ubuntu user) and when user clicks on the file instead of seeing it in Eye of Gnome what in fact happens is a malware intrusion. Nautilus should be patched to disallow wine to feature in an "Open with ..." rule. Reasoning: Normally, in linux, to be "social-engineered" you have to save a file, convert it to executable and then run it. As outlined, in the above actual incident, this key usability security is ineffective in an increasingly possible scenario. In many ways it make this form of social engineering easier in linux configured this way because the file does not even need an exe/bin or similar suffix. Nautilus (in conjunction with wine) as things stand becomes a key part of negating the standard linux "executable bit" security measures. Prominent warnings are not in place (in the ubuntu wine wiki) advising avoidance of this practice either. https://help.ubuntu.com/community/Wine. ** Affects: nautilus (Ubuntu) Importance: Undecided Status: Unconfirmed -- Security - single click trojan risk https://launchpad.net/bugs/85338 -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
