| ▲ | Illniyar 3 hours ago | ||||||||||||||||||||||||||||||||||
It's pretty weird for cursor to run arbitrary exe file without prompting, and alarming that the researchers did not get a proper response for months. But the example with calculator is a bit misleading I think, you'll have to have a malicious exe already in the system and downloaded, and if cursor tried to run my understanding is that ACL should immediately kick in and you'll be asked for permission to run a new, unsigned app for the first time. You'll have to have ACL disabled completely for this to be exploitable. | |||||||||||||||||||||||||||||||||||
| ▲ | shitter 3 hours ago | parent | next [-] | ||||||||||||||||||||||||||||||||||
And what'll the prompt say? "Do you want to run git.exe?"? I'll probably assume Cursor needs to run git but permissions got messed up somewhere and click right through that. I haven't used Windows in a while so pardon if I'm missing something. | |||||||||||||||||||||||||||||||||||
| ▲ | x3n0ph3n3 2 hours ago | parent | prev [-] | ||||||||||||||||||||||||||||||||||
Same thing happens if I have a: 1) PS1 that displays the current git branch 2) Include the current directory in my PATH Should we file a high severity CVE with bash now? | |||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||