Current versions of Ubuntu and CentOS are disabling a security feature that was added to the GNOME desktop environment last year.
The feature’s name is Bubblewrap, which is a sandbox environment that the GNOME Project added to secure GNOME’s thumbnail parsers in July 2017, with the release of GNOME 3.26.
Thumbnail parsers are scripts that read files inside a directory and create thumbnail images to be used with GNOME, KDE, or other Linux desktop environments.
This operation takes place every time a user navigates to folders, and the OS needs to display thumbnails for the files contained within.
In recent years, security researchers have proven that thumbnail parses can be an attack vector when hackers trick a user into downloading a boobytrapped file on their desktop, which is then executed by the thumbnail parser.
It’s for this reason that the GNOME team added Bubblewrap sandboxes for all GNOME thumbnail parser scripts last year.
But according to German security researcher and journalist Hanno Boeck, the Ubuntu operating system is disabling Bubblewrap support inside GNOME for all recent OS versions.
Furthermore, Google security researcher Tavis Ormandy also discovered that GNOME Bubblewrap sandboxes were also missing in the default version of CentOS 7.x.
But there’s a valid explanation for what Ubuntu is doing, according to Alex Murray, Ubuntu Security Tech Lead at Canonical.
Murray says the Ubuntu team opted to disable GNOME’s Bubblewrap because they did not have the time and resources to audit the feature.
Submitted by: Arnfried Walbrecht