This week, last Tuesday, a developer and security researcher did something that is usually critical: find a vulnerability and publish it before informing who develops the software. The developer was Penner and the software in which he found the security flaw was the graphical environment Plasma from KDE Community. If you wonder why we are talking in the past, we do it because everything has happened so fast and KDE Community has already delivered the patches that correct the bug.
But let's go in parts: the problem is or was in how KDesktopFile manages the .desktop and .directory files. Penner discovered that .desktop and .directory files could be created with malicious code that could be used to execute that code on a victim's computer. The code is executed if the user interaction, beyond opening the KDE file manager to access the directory where we have stored the file. But that KDE has already uploaded the patches is not the only good news.
Plasma's security flaw is not too dangerous
The Security researchers say the recently discovered fault in Plasma is not too dangerous. Although it is capable of causing significant damage, the dangerous thing is not what it can do, but how easy it is to get hurt. For someone to exploit it, we should download the .desktop or .directory file, something that, due to how rare they are, is unlikely. In fact, they say that for us to do so they have to deceive us using social engineering.
Apparently, Penner wanted to get something "interesting" to the Defcon, a security conference, and did not communicate it to KDE Community to arrive with a 0day vulnerability to show off. KDE Community shaved the gesture with education, just saying they would have been grateful that they communicated to them before so they could work together on the solution.
KDE Community has already solved the problem
But they have not needed them. Just over a day after the Plasma security breach was published, they had already created and uploaded the patch to their repositories. At the time of writing these lines, KDE neon users can now install the patch from Discover, while other Plasma users will be able to do so soon. A two-chapter miniseries that will end in the next few hours.
Firefox is updated a second time in a week to fix security flaws