[Bug 85338] Security - single click trojan risk

[Badger47]

Public bug reported:

Binary package hint: nautilus

Nautilus can facilitates trojans in conjunction with wine.

Scenario.

User eg newbie to linux attracted by ease of use of ubuntu, decides to
use wine for some favoured Windows tm programs discovers need to use cli
for installing programs can be avoided using the nautilus "Open with
...wine" feature.

Some time later user receives the following from a very familiar contact
in gaim ....

(21:51:12) taggs: lol someone has put a pic of u online :P
http://kaikau.ka.funpic.org/index.php?pic2038.jpg

As it turns out the "jpg" file is a windows excutable trojan (easily
recrafted crafted for an ubuntu user) and when user clicks on the file
instead of seeing it in Eye of Gnome what in fact happens is a malware
intrusion.

Nautilus should be patched to disallow wine to feature in an "Open with
..." rule.

Reasoning:
Normally, in linux, to be "social-engineered" you have to save a file, convert it to executable and then run it.  As outlined, in the above actual incident, this key usability security is ineffective in an increasingly possible scenario.

In many ways it make this form of social engineering easier in linux
configured this way because the file does not even need an exe/bin or
similar suffix.

Nautilus (in conjunction with wine) as things stand becomes a key part
of negating the standard linux "executable bit" security measures.

Prominent warnings are not in place (in the ubuntu wine wiki) advising
avoidance of this practice either.
https://help.ubuntu.com/community/Wine.

** Affects: nautilus (Ubuntu)
     Importance: Undecided
         Status: Unconfirmed

-- 
Security - single click trojan risk
https://launchpad.net/bugs/85338