Re: Autorun is VERY bad

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Steven Stern writes:
On 02/07/2011 12:21 PM, kellyremo wrote:

How to disable autorun? Are there any hidden autorun features on a
standard Fedora install?? http://securitytube.net/USB-Autorun-attacks-against-Linux-at-Shmoocon-2011-video.aspx

Open any Nautilus window (e.g., PLACES -> COMPUTER) and then
EDIT->PREFERENCES. Autorun is controlled on the MEDIA tab. Check "Never
prompt or start programs on media insertion" or use the controls above
to do a bit more fine tuning.

... and, as you can see, the "Autorun" feature, in Linux, is really nothing more than starting an application that's already installed on the system, when a specific kind of media gets inserted. This is way, way different than automatically running software from the inserted media when you pop it in. Not even in the same league, in terms of a security issue. And, furthermore, that article really talks about things like using inserted media to exploit existing bugs in system software. So, for example, if, theoretically, there's an exploitable bug in the jpeg library, and autorun is set to open a folder when media is inserted, then, theoretically, a carefully crafted jpeg file on the inserted media would make you vulnerable to getting automatically p0wned if the autorun automatically pops up a nautilus folder, which attempts to generate a thumbnail for the jpeg file, and exploiting the jpeg library vulnerability. Were that even so, this would not be an autorun exploit, but rather the jpeg library exploit, in the first place. So, there is no issue with the "autorun" feature, as implemented in Nautilus/Gnome.

Attachment: pgpMj_EpDXaaC.pgp
Description: PGP signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux