Python experts? ComfyUI and vulns? Outbound traffic?
Discussion
I've been using ComfyUI a bit. I wasn't really happy with the way it worked using python and git to grab whatever it liked, but just tried to limit internet access from Python except when I needed to update etc.
However I've been reading more and also reading how python is a bugger to isolate and the standard practice is just to trust it (lol) or not run it on a machine with important data sitting around.
It looks like this was just abuse in the first big case. Perhaps avoidable with some due diligence.
https://www.reddit.com/r/comfyui/comments/1dbls5n/...
And more recently it seems this one got in there because of a github vulnerability. Less easily avoidable even with due diligence.
https://blog.comfy.org/p/comfyui-statement-on-the-...
In any case, I've been reading all afternoon and I still can't figure out how the connections are made for these vulnerable python or java files to do bad things, and if my simple mitigation is still valid alongside just picking the 'trusted' packages.
Ie, is python.exe being asked to open a port 80 connection and assumes python.exe has unfettered access to the internet, and so can send it's ill-gotten browser data or crypto mining data somewhere?
Or are other features of Windows being leveraged to open connections, such as via svchost, or the system itself? Ie, they're going to be impossible to detect and block trivially? None of the reports actually say anything about the method so you can try mitigate the access.
Is a big surface of pythons vulnerability just because people let it access the internet on port80? Or even let it access the internet to any IP it likes?
I appreciate having the malware in the first place isn't ideal, and a container (trying to set up WSL2 linux to run it) is likely better, but knowing that outbound traffic that isn't legit is stopped seems the best first step?
However I've been reading more and also reading how python is a bugger to isolate and the standard practice is just to trust it (lol) or not run it on a machine with important data sitting around.
It looks like this was just abuse in the first big case. Perhaps avoidable with some due diligence.
https://www.reddit.com/r/comfyui/comments/1dbls5n/...
And more recently it seems this one got in there because of a github vulnerability. Less easily avoidable even with due diligence.
https://blog.comfy.org/p/comfyui-statement-on-the-...
In any case, I've been reading all afternoon and I still can't figure out how the connections are made for these vulnerable python or java files to do bad things, and if my simple mitigation is still valid alongside just picking the 'trusted' packages.
Ie, is python.exe being asked to open a port 80 connection and assumes python.exe has unfettered access to the internet, and so can send it's ill-gotten browser data or crypto mining data somewhere?
Or are other features of Windows being leveraged to open connections, such as via svchost, or the system itself? Ie, they're going to be impossible to detect and block trivially? None of the reports actually say anything about the method so you can try mitigate the access.
Is a big surface of pythons vulnerability just because people let it access the internet on port80? Or even let it access the internet to any IP it likes?
I appreciate having the malware in the first place isn't ideal, and a container (trying to set up WSL2 linux to run it) is likely better, but knowing that outbound traffic that isn't legit is stopped seems the best first step?
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff