Artifex has committed a dozen fixes for these issues. However, a new release of Ghostscript isn't scheduled to be released until late September.https://www.kb.cert.org/vuls/id/332928
-
-
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
The issues here are: 1) Google Chrome will download files without any prompting by default. Personally, I think this is both silly and dangerous. 2) Various desktop environments will auto-thumbnail files present. Combine the two: Visit site w/ Chrome -> RCE via desktop env.
-
So while Chrome is the initial attack vector to plant the PS file, Nautilus is the application that renders it using Ghostscript and runs the attacker's code. Teamwork!pic.twitter.com/fB3eiCVNQI
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.