Autorun is VERY bad
Sam Varshavchik
mrsam at courier-mta.com
Mon Feb 7 23:16:18 UTC 2011
Steven Stern writes:
> On 02/07/2011 12:21 PM, kellyremo wrote:
>>
>> How to disable autorun? Are there any hidden autorun features on a
>> standard Fedora install??
>>
>> http://securitytube.net/USB-Autorun-attacks-against-Linux-at-Shmoocon-2011-video.aspx
>>
>
> Open any Nautilus window (e.g., PLACES -> COMPUTER) and then
> EDIT->PREFERENCES. Autorun is controlled on the MEDIA tab. Check "Never
> prompt or start programs on media insertion" or use the controls above
> to do a bit more fine tuning.
... and, as you can see, the "Autorun" feature, in Linux, is really nothing
more than starting an application that's already installed on the system,
when a specific kind of media gets inserted.
This is way, way different than automatically running software from the
inserted media when you pop it in. Not even in the same league, in terms of
a security issue.
And, furthermore, that article really talks about things like using
inserted media to exploit existing bugs in system software. So, for
example, if, theoretically, there's an exploitable bug in the jpeg library,
and autorun is set to open a folder when media is inserted, then,
theoretically, a carefully crafted jpeg file on the inserted media would
make you vulnerable to getting automatically p0wned if the autorun
automatically pops up a nautilus folder, which attempts to generate a
thumbnail for the jpeg file, and exploiting the jpeg library vulnerability.
Were that even so, this would not be an autorun exploit, but rather the
jpeg library exploit, in the first place.
So, there is no issue with the "autorun" feature, as implemented in
Nautilus/Gnome.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110207/45ffcabe/attachment.bin
More information about the users
mailing list