That's a big stretch, and a lot of hype for this "0-day". How many people are going to be realistically affected by this? Why is arstechnica making such hype about it?
Yes, it's novel that someone's been able to break out of gstreamer's sandbox using unimplemented (or poorly-implemented) 65816 opcodes, but that's about as far as it goes.
Thankfully, my Calculate (Gentoo) Linux KDE desktop with a VLC backend is completely unaffected by this "0-day", and everything on my network is safe.
Maybe it's time Linux distros learn what OpenBSD learned 10 years ago: more packages more problems
So yeah, kinda of a hype however the target is pretty big.
If neither of those happened, these exploits could not be automated (though social engineering would always be an option).
Heck, the download itself is not a problem. The problem is that the DEs, in an attempt at being "helpful" detect and parse every new file for inclusion into their search functionality. And the parsing in this instance gets done by passing the file through gstreamer, and away we go again.
This is idiocy on par with autorun!
- always run your browser in a restricted firejail. this prevents browser exploits from reading your ssh keys. It also makes it much harder to pivot to a root shell or maintain a persistent backdoor because the filesystem is deleted upon jail exit.
- don't install multimedia applications on sensitive machines. My default install is ubuntu server with i3-wm,vim,git and other dev tools. No mplayer, no vlc, no multimedia. I listen to music on my phone if I want to jam out. The work computer is for work.
- use snapshotted VMs for interacting with sketchy files such as word docs, xlsx, mp3s, etc.
- default deny rules in iptables to block inbound connections
- static arp entry for the default route to prevent MITM on lan if possible. I do this on my work machine where the network is well known.
No persistent cookies, no extensions, no cache.
Having a LastPass browser extension is the biggest step up in my personal security in a long time.
Right?
Nope, patched already in debian and ubuntu.
How come it wasn't made a thing by similar exploits developed by others in the past decades?
Ars writes the strangest things sometimes.
