This week, last Tuesday, a developer and security researcher did something that is often criticized: find a vulnerability and publish it before informing the developer of the software. The developer was Penner and the software in which he found the security flaw was the Plasma graphical environment from KDE Community. If you wonder why we are talking in the past tense, we do it because everything has happened very quickly and the KDE Community has already delivered the patches that correct the bug.
But let's go in parts: the problem is or was in how KDesktopFile manages the .desktop and .directory files. Penner discovered that .desktop and .directory files could be created with malicious code that could be used to run that code on a victim's computer. The code is executed without user interaction, beyond opening the KDE file manager to access the directory where we have stored the file. But that KDE has already uploaded the patches is not the only good news.
Table of Contents
Plasma security flaw is not too dangerous
All Security researchers say the recently discovered Plasma flaw is not too dangerous. Although it is capable of causing significant damage, what is dangerous is not what it can do, but how easy it is to get hurt. In order for someone to exploit it, we should download the .desktop or .directory file, something which, due to how rare they are, is unlikely. In fact, they say that for us to do so they have to trick us using social engineering.
From the looks of it, Penner wanted to come up with something "interesting" at the Defcon, a security conference, and did not tell the KDE Community to come up with a 0day vulnerability to brag with. KDE Community politely spoiled the gesture, saying only that they would have been grateful if they had communicated it to them first so that they could work together on the solution.
KDE Community has already fixed the problem
But they haven't needed it. Little more than a day after the Plasma security flaw was published, they had already created and uploaded the patch to their repositories. As of this writing, KDE neon users can now install the patch from Discover, while other Plasma users will be able to do so soon. A two-chapter miniseries that will end in the next few hours.