On Wednesday, May 3, 2017 at 4:24:24 PM UTC-4, u+q...@bestemt.no wrote: > Nemo <wordswithn...@gmail.com> [2017-05-03 19:50 +0200]: > > I'm thinking an attacker could: > > > > 1 Take control of the VM through any given means, and gain the ability to > > edit the .desktop file > > 2 Alter the desktop file so that it opens a malware URL in the VM dedicated > > to web browsing > > 3 Send information from the Thunderbird VM to the less-trusted web browsing > > VM via coding in the URL > > > > The weakness is you're giving a persistent, user-editable file permission > > to control another VM - and the Qubes messaging service doesn't tell you > > exactly what action you are approving, and might even be set to "Yes to > > All" allowing transparent control by malware. > > > > If you DON'T set "Yes to All", then you are queried every time you open a > > webpage, and if you don't read every approval carefully an attacker could > > force a third, higher-trust VM to open a malware URL. > > If an attacker can edit the contents of your home folder, he/she can > accomplish the same by creating new *.desktop and mimeapps.list files in > ~/.local/share/applications/. > > Changes in the home directory stay persistent unless it is a DispVM. > > -- > ubestemt
This is a good point. So the fundamental security issue is the we cannot specifically confirm the URL that is being sent to the other VM as we are approving it. I suppose this would need to be secured on the web browser VM end. Maybe create another .desktop file as the default HTTP/HTTP handler on the web browser VM that allows for user confirmation of the URL before opening in the actual browser? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ad44e11f-3ca5-4a9e-b51d-e51d600e1ebb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.