Derrial BookMay 1
Metin Seven 🎨

Blender users, always keep in mind that Blend files can execute malicious Python scripts…

https://blenderartists.org/t/blend-files-can-execute-malware/1591331

#3D #CGI #blender #Blender3D #B3D #design #3DModeling #graphics #digital #art #CreativeToots #creative #creativity

Blend files can execute malware

In case anyone needs another reminder not to click untrusted links on the internet : This week Superhive (formerly Blender Market) vendors were the target of some malicious attacks. Many (myself included) received a legitimate-sounding support ticket asking for help with their product, probably AI-generated to target them specifically. Attached to the ticket was a seemingly innocent blend file. A chair model. When opening the file, Blender asks if you want to execute “rig_ui.py”. Sure, w...

Blender Artists Community
May 1 at 7:24amWeb
Show threadMark B TomlinsonMay 1
@metin Yea always be on your guard. I got one too, but by the time I saw the notification they had flagged and deleted the message.
It may be tempting to turn on execution by default but this is the reason that isn't a good idea.
#Python #security
Show threadLonMMay 1
@metin Interesting that this is the exact same attack model as Microsoft Word Macros. People tend to l be aware of those and admins and users can block them outright for foreign fils, even disabling the warning. People need to be aware of the same thing with blender.
Show threadElias ProbstMay 2

@metin isn't there any sandboxing in Blender at all , e.g. using bwrap, when executing those scripts?

This could prevent such scripts having network or local filesystem access or at least restrict access to a project directory.

Show threadMetin Seven 🎨May 2
@eliasp Some sort of sandbox isolation would be nice indeed, I don't know if that's present in some way in Blender.
Show threadMahid SheikhMay 5

@eliasp @metin the issue is that a lot of addons/scripts (ex. asset addons, automating textures setup, material libraries, etc) use the filesystem in legitimate ways that would become more complicated with heavy filesystem restrictions. In addition, during a discussion upstream about having an official Flatpak, it was mentioned that sandboxing would introduce more issues for pipelines, since automation of files is often a large part, and portals would become too impractical in a lot of cases.

That said, I don't think a sort of "permission" system for Python scripts and addons is out of the question (we already have that for the new extensions system), but it would have to be made in such a way that wouldn't make pipeline development around Blender harder

Flatpak package for Linux releases

Blender on Linux is already available as a Snap package. Flatpak seems to be the more popular format at least on non-Ubuntu based distributions, so it would sense to officially support it as well. There is no concrete timeline for this, but has come up a few times among developers, so good to ha...

Blender Projects
Show threadChristoph Werner 🔶️May 3
@metin practical question: I got the same file and opened it. Is there something I have to do now? Or is the script executed only if the blend file is open?
Show threadMetin Seven 🎨May 3
@CWernerArt Good question. I wouldn’t know, sorry. I think it’s best if you ask this in the thread over at Blender Artists. Good luck!
Show threadChristoph Werner 🔶️May 3
@metin I've found all related files for this issue. There were several places they were placed. One is the Windows autostart folder. There is a link that starts an exe file that was downloaded. It will be executed at every system restart. After deleting all files and restarting the system, everything seems to be OK. I hope the tool did not download another software I haven't realized.
Show threadMetin Seven 🎨May 3

@CWernerArt 👍 Yes, let's hope your system is clean now. I saw your message over at the Blender Artists thread. 👍 If anyone has something to add, you'll probably read it there.

Have a nice rest of the weekend!

Show threadChristoph Werner 🔶️May 3
@metin Unfortunately, I had no time to investigate the folder with the exe file today before deleting it. Actually, I would like to know what the files do. But on the other hand, I don't want to execute the phishing script anew just to see what it does... 😵‍💫
Show threadMetin Seven 🎨May 3
@CWernerArt 🫤 I understand your considerations. Maybe a thorough system-wide malware check might ease your concerns? If you regularly update Windows Defender, that's quite competent.
Show threadChristoph Werner 🔶️May 3
@metin I'll definitely do it. 👍
Show threadChristoph Werner 🔶️May 4
@metin After Windows Defender deep scanned my drives the whole night, the result was positive. No ransomware, nor viruses or trojans... Hope this was it now.