Earlier this week security researchers from Cisco disclosed a number of vulnerabilities in Blender that can theoretically lead to security risks when opening .blend files. There was a bit of an uproar as they presented in such a way that it suggested the Blender Foundation is not interested and will not act, but it turns out this is not the entire story.
Let’s start at the beginning. Talos, Cisco’s ‘Intelligence Group’, wrote:
Today, Talos is disclosing multiple vulnerabilities that have been identified in Blender. These vulnerabilities could allow an attacker to execute arbitrary code on an affected host running Blender. A user who opens a specially crafted file in Blender that is designed to trigger one of these vulnerabilities could be exploited and compromised.
Talos has responsibly disclosed these vulnerabilities to Blender in an attempt to ensure they are addressed. However, Blender has declined to address them stating that "fixing these issues one by one is also a waste of time." As a result, there currently is no software update that addresses these vulnerabilities. Additionally, Blender developers believe that "opening a file with Blender should be considered like opening a file with the Python interpreter, you have [to trust]the source it is coming from."
The article then continues with a quote from Brecht (one of many on the Blender Developers threat about this issue) - presenting it in such a way that the Blender Foundation would not be interested in solving security issues.
There are of course hundreds of developers in the Blender community and they don’t represent the foundation - only Ton does. Even though he has been in touch with Cisco about these issues for weeks, they neglected to quote him and went for a random inflammatory statement instead.
Ton wrote about this:
The quoted developer is giving his own opinion here. If you look at all discussions, we took their reports very seriously and spent a lot of time on it already. I don't think it's fair to publish it with such a negative accusation. I've asked Cisco to correct the text.
Meanwhile: the issue has been recognised and we hope we can tackle it with Cisco's help.
Brecht in turn responded with:
Right, I am not speaking for the Blender Foundation. Nor am I saying vulnerabilities should not be taken seriously, but rather that if anyone is serious about making loading arbitrary .blend files in Blender secure, fixing these issues reported by TALOS will not get us much closer to that. Users should understand that loading untrusted scene files in Blender and similar CG software is not secure, and not get the false impression that software developers addressing the occasional reported issue means it is secure.
For background on security and arbitrary code execution in CG software in general, see this article.
What is the actual issue here?
After talking to Ton, what I understand is this: It is theoretically possible to craft a malicious .blend file that causes ‘overflows’ that can lead to the injection of code that would then be executed. In other words, just opening a .blend file could lead to data theft or corruption on your local system. This is NOT the same as Python scripts that can also access local data - when opening a .blend file that contains any script you have to manually activate them.
This risk is similar to downloading software from an untrusted source and executing it, even though you might not recognise it as such - after all, a .blend is not an ‘executable’.
I'd like to stress that while this is theoretically possible, no 'proof of concept' implementation of such exploits is available to date.
How should you protect yourself?
As always, when downloading anything from the web you should apply a good amount of common sense: did an unknown source email this to you, or post this online? What’s the reputation of the creator?
Answer these questions first before opening anything - Blender content is no different.
What will the Blender Foundation do?
The current consensus seems to be that, yes, there are security issues in Blender and they should be addressed. However, it is not clear how big a threat these are, and how they should be prioritised. After all, the Blender community is small fry compared to larger audiences like Windows users etc, and it’s not likely that hackers will be going after them on a large scale.
The fact that these issues have been identified also does not mean that these are actually the biggest risks - other, harder to identify issues might be more important to address first. Solving this initial list of 20 issues could lead to a false sense of security, more careful research is needed.
The big dilemma is of course how many resources to spend on this. The 2.8 project is behind as it is, and working on these issues would introduce an unknown additional delay.