hello,

I am a linux newbie and I have a question:
from what I've understood, unlike in windows, there is no file extension in linux, and the OS opens the default program according to the header it reads in the beginning. Am I right?
If so, doesn't this raise a security concern? Can't a user be mislead by the name of the file (if it ends in .mp3 for example) and think he's opening a music but instead he's executing a malware ? If I'm not mistaken, this wouldn't happen in windows because windows would try to open it with the default mp3 viewer, which would fail and no code would be executed.
I have heard of malwares that were hidden within jpeg files. Is that true, and how does this work?


then again, I'm not an expert so please be indulgent if I'm just saying nonsense and try to explain it pedagogically.

thanks.

Well there are extensions for many files, but they are purely conventional, and are very seldom used at the OS level. Within apps like gimp, openoffice etc, then files get filtered on suffixes, but again this is more a convention. You suggest this is a negative thing, but isn't it vastly more open to abuse the other way round? making a file operate in a different way based on it's name sounds really dubious to me. I'd think it much saner to execute a file in this or that way because that is what the file actually is, rather than a nominal 3 character suffix.

In terms of how you see things as a risk there's a few different use cases which affect this. Firstly from a console perspective, you never run data files, only executables. There is no application association or anything there. As such you would not be in any doubt that what you're running is a program, not an mp3. The other side is the whole windowsy double clicking on a file, and in that context the mime types of the files are, amongst otehr things, used to display a suitable icon for the contents of the file. So in Gnome an mp3 file shows up as a musical note, whereas an executable called runme.mp3 will show up as a script, or binary executable icon, and not a note. So there you're covered fine too really.

...in addition to what's been said it would be easier to fool a user with a process name: try for instance running '/bin/doexec /bin/sleep "/bin/apache2 -DSSL" 1m;' then check with 'ps axf' for a process named "sleep" and you'll only find "/bin/apache2 -DSSL 1m" (however not the more experienced user as running 'readlink -f /proc/`pgrep -f apache2`/exe' or 'lsof -Pwlnp `pgrep -f apache2` should show it's /bin/sleep).


We're not the type of site that will show you examples of malware, help you "crack" things or circumvent DRM. That said generally speaking flaws can be exploited for instance when an application interprets something in different way than it should. This can range from making the kernel go bonkers remotely (2006: Linux SCTP conntrack) to crashing an application due to it parsing a MP3 the wrong way (2008: Xine-lib MP3 metadata). But while these problems are serious and are fixed as quickly as possible there are products that due to their closed-source nature, adoption rate or just for being a standard provide ways to embed malware. For a nice roundup see for instance the 2010 SANS PDF Malware Overview and the Malwaretracker PDF Current Threats listing. What's worse is that such an application might provide "features" that allow one to legitimately perform any actions (Seclabs Actions 2.0 in PDF) embedded in a PDF like for instance executing commands (2010: Didier Stevens Escape From PDF). What I'm saying is that it's not only "obvious" malware that may be a threat...

2 members found this post helpful.