Posted by December 18, 2016 No Comments

It's Been a Bad Week for Linux as Several Security Flaws Surface – BleepingComputer

Two security researchers published details this week about several security flaws that allow attackers to execute code on affected machines and take over devices.These security flaws affect Linux distros such as Fedora and Ubuntu, and two of these exploits are zero-days, meaning there’s no patch to prevent attacks.Zero-days discovered affecting Fedora and UbuntuThe first to publish his research was Chris Evans, who disclosed the two zero-days affecting Gstreamer, an application responsible for indexing and generating thumbnails and previews for files in various Linux desktop environments.Evans says that an attacker can host a malicious audio file online that when the user downloads on his computer, will automatically be indexed by Gstreamer.The file, either a FLAC or MP3, would tell Gstreamer that it’s a SNES music file. Because Gstreamer comes with support for playing these files, it will emulate a SNES (Super Nintendo Entertainment System) and attempt to index the file.The libraries part of Gstreamer tasked with this operation include vulnerabilities that allow the attacker to execute code on the user’s machine.This occurs when the file contains malicious instructions telling Gstreamer to emulate a SNES with a Sony SPC700 audio processor. Additionally, Gstreamer isn’t sandboxed, so any code executed via the framework has access to the OS, with the user’s native privileges.Evans has tested his attack scenario on Fedora 25 and Ubuntu 16.04 LTS distros but says that other Linux versions might be affected as well. He also recorded two videos of his exploit in action.