Remix.run Logo
jjcm 3 hours ago

I'm not sure I fully agree with this being a major vuln. There's a lot of up front scary text which was raising a lot of red flags until it actually discussed the "what".

An actor has to place a malicious .exe in the user's code folder, named git.exe, for this to take place.

I see this akin to something like saying "replacing their .bashrc with an alias that says `ls` instead executes `/tmp/mega-big-virus.sh` is a vuln".

Yes it's a vector, but if they've placed something in your filesystem like that already, you've already been compromised.

shitter 3 hours ago | parent | next [-]

The user's code folder? You mean the code I frequently pull from untrusted sources, unlike my .bashrc? Opening a GitHub project for review should not mean arbitrary code execution.

Of course, that ship has long sailed, for all major IDEs. Heck, VSCode SSH and devcontainer remotes allow RCE by design.

paxys 24 minutes ago | parent | next [-]

The entire point of Cursor is to run autonomous coding agents. You are giving it a random untrusted repo, saying "hey it might have a virus, go crazy" and then getting mad that it caused harm?

Check (and double check and triple check) your sources. If a malicious executable made it to your computer it is already too late.

taneq 2 hours ago | parent | prev [-]

I’ve never got my head around how it’s apparently the done thing these days to just copy a bash command from a website and run it (sometimes with sudo! O.o ) to install software. I somewhat naively hope that this is because everyone is pushing single purpose VMs for that kind of install, but really I know better.

petalmind an hour ago | parent | next [-]

> to just copy a bash command from a website and run it (sometimes with sudo! O.o ) to install software.

how is that different from the good old days of

    wget ftp://ftp.something.org/software-2.10.tar.gz
    tar zxfv 
    ./configure
    make
    sudo make install

?
Terr_ 28 minutes ago | parent [-]

Training people (esp. what passes for non-techies on Linux) to regularly copy-paste into the terminal is massively riskier than "click this URL". Just for starters, consider how easily you can make a web-page where you highlight X to copy it, but instead Y is delivered to your clipboard. Then on execute it could even redraw the terminal to pretend you pasted X all along.

Also, there's a convention or social-contract that everyone who downloads 2.10 ought to get precisely the same thing. This provides a foundation for other facets of security, like "it must have an expected hash" or "it must validate as signed by this public key". Also investigative actions like discovering when something suspicious got added, or detecting that the installer is trying to access the internet when it really shouldn't be.

paxys 30 minutes ago | parent | prev [-]

How is it different from downloading and running the application itself from that website?

arcticfox 3 hours ago | parent | prev | next [-]

I am not at all a security expert, but isn't this akin to giving a repo-owner RCE if you just clone their repository and open it? I feel like that's not an implied contract for opening a folder in your IDE.

zeroq 3 hours ago | parent | prev | next [-]

This is very similar to 30yo exploit in which you placed an alternative, infected dll inside a folder with mp3s (winamp), or photos (windows picture viewer).

datakan 2 hours ago | parent [-]

It’s Windows autorun all over again. What was old is new again.

inigyou an hour ago | parent | prev | next [-]

Cloning a repo owns your computer. Is that something you expected?

2 hours ago | parent | prev | next [-]
[deleted]
_AzMoo 2 hours ago | parent | prev | next [-]

This attack is exactly why IDE's have a concept of trusted and untrusted locations.

paxys 41 minutes ago | parent [-]

That is a very recent addition. The exact behavior they are describing was in VS Code for almost a decade.

beart 3 hours ago | parent | prev | next [-]

This doesn't require anyone placing anything deliberately on your machine (as in, needing to exploit it somehow ahead of time). It could be as simple as checking out a branch to review, where the author of the branch has added the .exe.

Xirdus 2 hours ago | parent [-]

I'd say checking out a malicious branch is in the same category as downloading a malicious attachment. By which I mean, it's kinda on you.

krater23 an hour ago | parent [-]

Downloading this attachement doesn't executes it. Checking out a branch in this case executes the file in the branch. Thats a big difference.

an hour ago | parent [-]
[deleted]
libeclipse an hour ago | parent | prev [-]

Bro thinks cloning a repo means you're already compromised