August 11, 2019 02:34 pm
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/_njXPC4Jf_g/remember-autoruninf-malware-in-windows-turns-out-kde-offers-something-similar
Remember Autorun.inf Malware In Windows? Turns Out KDE Offers Something Similar
Long-time Slashdot reader Artem S. Tashkinov writes:A security researcher has published proof-of-concept (PoC) code for a vulnerability in the KDE software framework. A fix is not available at the time of writing. The bug was discovered by Dominik "zer0pwn" Penner and impacts the KDE Frameworks package 5.60.0 and below. The KDE Frameworks software library is at the base of the KDE desktop environment v4 and v5 (Plasma), currently included with a large number of Linux distributions. The vulnerability occurs because of the way the KDesktopFile class (part of KDE Frameworks) handles .desktop or .directory files. It was discovered that malicious .desktop and .directory files could be created that could be used to run malicious code on a user's computer. When a user opens the KDE file viewer to access the directory where these files are stored, the malicious code contained within the .desktop or .directory files executes without user interaction — such as running the file. Zero user interaction is required to trigger code execution — all you have to do is to browse a directory with a malicious file using any of KDE file system browsing applications like Dolphin. When ZDNet contacted KDE for a comment Tuesday, their spokesperson provided this response. "We would appreciate if people would contact [email protected] before releasing an exploit into the public, rather than the other way around, so that we can decide on a timeline together."Read more of this story at Slashdot.
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/_njXPC4Jf_g/remember-autoruninf-malware-in-windows-turns-out-kde-offers-something-similar
Share this article:
Tweet
View Full Article
Slashdot
Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..More About this Source Visit Slashdot