They have found a vulnerability in Plasma, but KDE is already working on it. For now, this you should avoid

Plasma vulnerability

When we talk about Plasma, at least one server, we do it to tell about all the benefits that the beautiful, fluid and full of KDE desktop options offers us, but today we have to give less good news. As collected in ZDNet, a security researcher has found a vulnerability in Plasma and has published a proof of concept exploiting the existing security flaw in the KDE Framework. Right now there is no solution available, other than a temporary one in the form of a forecast that KDE Community has posted on Twitter.

The first is the first. Before continuing with the article we have to say that KDE is already working to fix the recently discovered security flaw. Even more important than knowing that they are working to solve the failure is the temporary solution they offer us: what We DO NOT have to do is download files with the extension .desktop or .directory from unreliable sources. In short, we do not have to do something that we are never supposed to do, but this time with more reason.

How the discovered Plasma vulnerability works

The problem is in how KDesktopFile handles the mentioned .desktop and .directory files. It was discovered that .desktop and .directory files could be created with malicious code that could be used to run such code on the computer of the victim. When a Plasma user opens the KDE file manager to access the directory where these files are stored, the malicious code runs without user interaction.

On the technical side, vulnerability can be used to store shell commands within the standard "Icon" entries found in the .desktop and .directory files. Whoever discovered the bug says that KDE «will execute our command whenever the file is seen«.

Low severity listed bug - social engineering must be used

The security experts they do not classify the failure as very serious, mainly because we have to get us to download the file on our computer. They cannot classify it as serious because .desktop and .directory files are very rare, that is, it is not normal for us to download them over the internet. With this in mind, they are supposed to trick us into downloading a file with the malicious code necessary to exploit this vulnerability.

To assess all the possibilities, the malicious user could compress the files in ZIP or TAR And when we unzipped it and viewed the content, the malicious code would run without our noticing. Furthermore, the exploit could be used to download the file onto our system without us interacting with it.

Who discovered the phallus, Penner, did not tell the KDE Community why "Mainly I just wanted to leave a 0day before Defcon. I plan to report it, but the issue is more of a design flaw than an actual vulnerability, despite what it can do«. On the other hand, the KDE Community, unsurprisingly, has not been very happy that a bug is published before they communicate it to them, but they have limited themselves to saying that «We would appreciate if you could contact before launching an exploit to the public so that we could decide together on a timeline.«.

Vulnerable Plasma 5 and KDE 4

Those of you new to the KDE world know that the graphical environment is called Plasma, but it wasn't always like that. The first three versions were called KDE, while the fourth was called KDE Software Compilation 4. Separate name, vulnerable versions are KDE 4 and Plasma 5. The fifth version was released in 2014, so it is difficult for anyone to be using KDE 4.

In any case and waiting for KDE Community to release the patch they are already working on, for the moment don't trust anyone who sends you a .desktop or .directory file. This is something we must always do, but now with more reason. I trust the KDE Community and that in a few days everything will be solved.

Related article:
Update: Canonical has released a new version of the kernel to correct four vulnerabilities of medium urgency

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.