About the Subgraph attack:
1. The main problem that @micahflee exploited is the unfortunate decision made by Subgraph OS to keep Gnome/Nautilus in the TCB *and* letting this complex software process *untrusted* files,
2. The specific Nautilus bug (handling of .desktop files) is just *one* example of what could go wrong in this case,
3. We can think of other potential problems (e.g. Thumbnails processing)
4. More details: https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/
Also, the Subgraph reaction has been baffling. They:
1. Ignored Micah's report for 2 weeks (which he gave them to patch) & did nothing to resolve the problem,
2. Downplayed/denied the bug once it got published: https://twitter.com/bleidl/status/851849723002703873
https://twitter.com/subgraph/status/851843464115441664
3. Falsely implied that the bug affected QubesOS: https://twitter.com/bleidl/status/851851948710141952
4. Finally patched: https://twitter.com/subgraph/status/852000407253594114
@rootkovska The real jarring thing isn't that a supposedly secure software system has a vulnerability.
It happens to even the best of us. (although their design decision is mind-boggling, it should have been obvious)
No, the real issue is how they handled it: denial and dismissal.
The way a group deals with vulnerability reports tells you all you need to know about their product's security and whether they really care about security or about the mere *appearance* of security.
@rootkovska Yeah... I really don't understand how getting calc to run **still contained in the same AppVM** is at all the same as bypassing intended sandbox restrictions.