As a product of my insomnia I came across a digg article outlining a feature of Ubuntu called apturl. Aparentally apturl allows you to install software via apt in Ubuntu by adding the “apt” protocol handler. So a link to “apt:gnome-main-menu” will install the Gnome main menu software. The interesting part here is that you can force browse a user into visiting the “apt” uri by using an iFrame. Granted, a warning box pops asking you if you’d like to install the packages but I’d imagine you can bypass this behavior (it’ being 2:14 am my passion to do research is not very high). So while this is a terribly convenient tool for installing software on Ubuntu it also presents an interesting way of getting software installed on a target computer.
To quell the “but you can only get registered packages” comments, this is true. But if I know a vulnerability in package X, can do browser and OS detection on a webserver, force you to download and install X, then exploit the vulnerabilty well … I win. And we all know there are plenty of packages with vulnerabilities in them.
I am not suggesting that this is an overly useful attack vector at this point. What I am saying is that mixing software installation (usually a trusted exercise) with the broken web security model may have interesting results in this case. Certainly further research is needed.