Lena yindlela abasebenzisa ngayo ithuba lephutha le-Snap ngokuphakamisa amaphakheji angaqinisekisiwe 

Darkcrizt

Imizuzu ye-4

I-Snap Trap

Isiphazamisi ku-Ubuntu singaholela umsebenzisi ukuthi afake amaphakheji anonya

Abacwaningi be-Aqua Security baveze Muva nje, ngokusebenzisa iposi blog, the okungenzeka kube nokuhlasela okuqondise kubasebenzisi baka-Ubuntu, ukusebenzisa omunye wemisebenzi eyaziwa kakhulu kanye nokungazi noma ukunganaki kwabasebenzisi.

Futhi kubasebenzisi be-Linux bebonke, omunye wemilayezo evamile esivame ukuyithola uma sisesigungwini esidumile "iyala-hhayi-foun." Lo mlayezo odumile usitshela ukuthi esikucelayo akukho ohlelweni (ezimweni eziningi) noma ukuthi sibhala okuthile okungalungile.

Akekho ozongivumela ngiqambe amanga, sekwenzekile kithi sonke, noma ngoba sikholelwa futhi siqinisekile ukuthi iphakheji noma uhlelo lokusebenza esizosebenza ngalo kutheminali lusesistimu yethu noma ngenxa nje yokuthi sibhale ngokungalungile enye incwadi futhi singaqondile. ngaleso sikhathi sithola "umyalo-hhayi-foun". Njengoba nazi nonke, uma lo mlayezo uvela yithingokuvamile yenza izincomo zokufaka yephakheji eshiwo engatholakali. Isibonelo esisebenzayo somlayezo singaba into efana nale:

Command 'Firefox' not found, but can be installed with:

sudo apt install "paquete 1 recomendado"

sudo snap install "paquete malicioso"

Kanjalo, lo mshayeli unikeza iseluleko lapho uzama ukuqala uhlelo olungekho ohlelweni.

Ukubuyela endaweni yesihloko, iAbacwaningi be-Aqua Security bathole inkinga i-radidic engakaa ngendlela imiyalo ehlolwa ngayo ukusebenzisa lezo ezingekho ohlelweni, njengoba lingancomi kuphela ukufaka amaphakheji asuka kumakhosombe ajwayelekile, kodwa futhi thwebula amaphakheji asuka kusiqondisi se-snapcraft.io lapho unikeza izincomo.

Ukwengeza, ucwaningo lwethu lubonisa ukuthi kufika ku-26% wemiyalo ehlotshaniswa namaphakheji eThuluzi Lephakheji Elithuthukile (i-APT) asengozini yokuphangwa abadlali abanonya. Le nkinga ingase ivule indlela yokuhlaselwa kwe-supply chain okuthinta abasebenzisi be-Linux ne-Windows abasebenzisa i-WSL. Le bhulogi icubungula imininingwane yokusebenza yomyalo ongatholakali, ubungozi obuhlobene nokufaka amaphakheji we-snap asengozini, kanye nama-vector ahlukahlukene okuhlasela angase asetshenziswe.

Lapho kwenziwa isincomo ngokusekelwe kokuqukethwe kunkomba ye-snapcraft.io, umshayeli ngaleyo ndlela ayihloli isimo sephakheji futhi ihlanganisa kuphela amaphakheji angezwe kuhla lwemibhalo ngabasebenzisi abangaqinisekisiwe. Ngakho-ke, umhlaseli angabeka iphakheji elinokuqukethwe okunonya okufihliwe ku-snapcraft.io, elinegama eligqagqene namaphakheji akhona e-DEB, izinhlelo ekuqaleni ebezingekho endaweni yokugcina, noma izinhlelo zokusebenza ezingelona iqiniso amagama azo abonisa ukuthayipha namaphutha ajwayelekile. abasebenzisi uma uthayipha amagama ezinsiza ezidumile.

Isibonelo, Umhlaseli angawisa amaphakethe afana ne-"Firefox-123" ngokulindela ukuthi umsebenzisi uzokwenza amaphutha lapho ethayipha amagama ezinsiza futhi kulokhu, "i-command-not- found" izoncoma ukuthi kufakwe amaphakheji anonya abekwe umhlaseli kusuka ku-snapcraft.io.

Umsebenzisi angase angayazi inkinga futhi ucabange ukuthi isistimu incoma amaphakheji ahloliwe kuphela. Ngaphandle kwalokho, Umhlaseli angadedela iphakheji ku-snapcraft.io ogama lakhe ligqagqene namaphakheji akhona e-DEB noma ngokukhanga okuthile egameni. Kulesi simo, "umyalo ongatholakali" uzonikeza izincomo ezimbili zokufaka i-DEB ne-snap, futhi umsebenzisi angakhetha i-snap, akubheke njengokuphephile noma ukulingwa inguqulo entsha.

Izinhlelo zokusebenza ze-Snap ezivunyelwe yi-snapcraft.io ukuze zibuyekezwe ngokuzenzakalelayo zingasebenza kuphela endaweni engayodwa. Nokho, umhlaseli angakwazi ukusizakala ngaleli bhokisi lesihlabathi, isibonelo, ukumba i-cryptocurrency, enze ukuhlasela kwe-DDoS, noma athumele ugaxekile.

Futhi, Umhlaseli angasebenzisa izindlela zokuzihlukanisa kumaphakethe anonya. Lokhu kuhlanganisa ukuxhaphaza ubungozi obungakopishiwe ku-kernel nezindlela zokuzihlukanisa, ukusebenzisa izixhumi ezibonakalayo ukuze ufinyelele izinsiza zangaphandle (ezifana nokurekhodwa komsindo ofihliwe namavidiyo), noma ukuthwebula okokufaka kwekhibhodi lapho usebenzisa iphrothokholi ye-X11 (ukudala ama-keylogger asebenza endaweni ye-sandbox).

Abacwaningi be-Aqua Security batusa, ukuvikela ezinsongweni ezinjalo, bathathe izinyathelo zokuvimbela eziningana:

  • Abasebenzisi kufanele baqinisekise umsuka wephakheji ngaphambi kokufakwa, behlola ukwethembeka kwabanakekeli kanye nenkundla enconyiwe (kungaba i-snap noma i-APT).
  • Onjiniyela be-snap abanesiteketiso kufanele babhalise ngokushesha igama elihambisanayo uma lihambisana nohlelo lwabo lokusebenza ukuvimbela ukusetshenziswa kabi.
  • Abathuthukisi bephakheji le-APT bayakhuthazwa ukuthi babhalise igama le-snap elihlotshaniswa nemiyalo yabo, bavikele ngaphambi kokuphambana nabahlaseli.

Okokugcina, uma ungathanda ukwazi okwengeziwe ngakho, ungathintana nemininingwane ku isixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.