Binary package hint: firefox-3.0
Distro: Ubuntu 8.10
Uname -a: Linux rand 2.6.28-8-generic #28-Ubuntu SMP Fri Mar 6 00:09:20 UTC 2009 x86_64 GNU/Linux
apt-cache policy firefox-3.0
firefox-3.0:
Installed: 3.0.8+nobinonly-0ubuntu0.8.10.2
Candidate: 3.0.8+nobinonly-0ubuntu0.8.10.2
Version table:
*** 3.0.8+nobinonly-0ubuntu0.8.10.2 0
500 http://mirror.anl.gov intrepid-updates/main Packages
500 http://security.ubuntu.com intrepid-security/main Packages
100 /var/lib/dpkg/status
3.0.3+nobinonly-0ubuntu2 0
500 http://mirror.anl.gov intrepid/main Packages
I have accidentally found my way to a web site which has been hacked. Upon exiting the page, a hijacked onunload handler brings me to another site which immediately attempts to download a .EXE file for windows.
Anyone who says that EXE programs are not dangerous on Linux is simply wrong. Wine by default comes with a link dosdevices/z: -> /
What this means is that any windows program can read/write to all files that I have read/write access to. For example, imagine a simple trojan that adds malicious code to all .EXE files on the disk. While this may not be an immedate problem, the next time I boot to my windows partition, my computer will be owned! Or, a virus could just inconspicuously delete or truncate all "unimportant" files (images, documents) on my computer -- And from what I have heard, there are recent malicious programs floating around the internet that do this.
In addition, Wine executables that are designed with Linux in mind (not that much of a stretch), could launch arbitrary code, even in the form of a ELF binary if necessary, followed by installing a keylogger or pretty much anything even if it wasn't possible using windows-only code.
While I am understanding of the chain of events leading to the EXE download (there is nothing Firefox can do about me going to a malicious website), there are a number of problems (I have attached a screenshot so you can see what I mean):
1) The Dialog box marks "Open with wine" as default,
2) It does not have a countdown timer! So any page that asks you to fill in a text box and hit enter, could cause you to run an arbitrary .EXE using wine by initiating the download at exactly the right time.
3) The "Use this as default" box is greyed out, so I am not only unable to remove wine as my default, but I cannot tell it to always save these files to disk, or *something* that does not involve immediately compromising my user account.
All of these together mean not only that I am vulnerable to accidentally clicking the wrong button when trying to cancel out of this malicious webpage, but that I am unable to prevent this from happening in the future. I believe this is a critical bug for anybody who has both Firefox and Wine installed on the same system, as it leads to arbitrary code execution under circumstances that are not too much of a stretch.
(For anybody interested in the specific website, the URL that I was referred to on the "onunload" handler in the hijacked page shows up in the download window screenshot--I don't want to paste it here.)
I don't know what the right solution is here, but I would personally like to see some serious review go into the default MIME types and helper applications. This is the reason that I am reporting the bug here rather than upstream. Mozilla Firefox has no control over the defaults that the Distro provides, and the simplest solution for now is to change the default mime handlers so that you don't end up with "open with wine" as a default anywhere.
Also, while this isn't productive to this specific discussion and I am merely preaching to the choir, I would like a GUI that allows normal users to see the *full* list of file extensions and their associated programs, so that you can make conscious decisions about file types rather than only relying on defaults. I'm talking about Edit->Preferences->Applications, but instead of only a select few of them, a list that shows *all* application handlers on the system, and allows adding/removing entries, kind of like the "Folder Options" screen that Windows has (though I'm not saying to copy their overly complicated registry).
If not this, I would at least like to see a "Change the default" option that isn't sometimes mysteriously greyed out. Again, it isn't Ubuntu's place to add such a feature, so this might be worth reporting to upstream.
I guess that's not the job of Firefox. Wine should let check if it's a virus..
You can also choose with which application the exe will be opened.