Windows 10 News and info | Forum
November 16, 2018, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Ubuntu and CentOS Are Undoing a GNOME Security Feature  (Read 73 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 29166


I Do Windows


WWW Email
« on: August 27, 2018, 12:10:10 PM »
ReplyReply

Current versions of Ubuntu and CentOS are disabling a security feature that was added to the GNOME desktop environment last year.

The feature's name is Bubblewrap, which is a sandbox environment that the GNOME Project added to secure GNOME's thumbnail parsers in July 2017, with the release of GNOME 3.26.

Bubblewrap meant to protect GNOME's thumbnailing system

Thumbnail parsers are scripts that read files inside a directory and create thumbnail images to be used with GNOME, KDE, or other Linux desktop environments.

This operation takes place every time a user navigates to folders, and the OS needs to display thumbnails for the files contained within.

In recent years, security researchers have proven that thumbnail parses can be an attack vector when hackers trick a user into downloading a boobytrapped file on their desktop, which is then executed by the thumbnail parser.

It's for this reason that the GNOME team added Bubblewrap sandboxes for all GNOME thumbnail parser scripts last year.

Ubuntu, CentOS disable Bubblewrap feature

But according to German security researcher and journalist Hanno Boeck, the Ubuntu operating system is disabling Bubblewrap support inside GNOME for all recent OS versions.

Furthermore, Google security researcher Tavis Ormandy also discovered that GNOME Bubblewrap sandboxes were also missing in the default version of CentOS 7.x.

But there's a valid explanation for what Ubuntu is doing, according to Alex Murray, Ubuntu Security Tech Lead at Canonical.

Murray says the Ubuntu team opted to disable GNOME's Bubblewrap because they did not have the time and resources to audit the feature.

"Bubblewrap is relatively new software doing some complicated things to set up sandboxes," Murray said. "If we just blindly promote it to [Ubuntu main] and then find out it has a vulnerability itself which we could have caught through code review beforehand that is not a good outcome for our users."

"It's easy to criticise but the reality is that to ship a high-quality distro all packages promoted to [Ubuntu main] have to go through a thorough review process which takes time," Murray added.

"It will likely get there soon, but the security team has limited resources and with 2018 being the year of a whole new class of vulnerabilities with seemingly no end in sight (aka Spectre, etc.) everyone just has to be patient."

source
« Last Edit: August 27, 2018, 12:12:45 PM by javajolt » Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page November 07, 2018, 09:26:10 PM