Network News

X My Profile
View More Activity

Exploit Prods Software Firms to Update Their Updaters

A security researcher has released a set of tools that make it simple for attackers to exploit weaknesses in the auto-update feature of many popular software titles.

By targeting widely deployed programs such as Java, OpenOffice, Winamp and Winzip, that don't use a digital signature on their product updates, attackers can impersonate those companies and trick users into believing they are updating their software, when in reality the users may be uploading a package designed to compromise the security of their computer.

Software companies should include these signatures in all of their updates, so that a user's computer can validate that the update was indeed sent by the vendor. For example, Microsoft signs all of its updates with an encryption key that only it knows, and Windows machines are configured to ignore any incoming software update alerts that are not signed with that key.

For whatever reason, Java, Winamp, Winzip (and no doubt dozens of other software titles with auto-update capabilities who haven't been named yet) have chosen not to sign their updates.

Enter Francisco Amato. On Monday, the Buenos Aires based researcher released "evilgrade," a toolkit that lets anyone send out bogus automatic update alerts to users of software titles that don't sign their updates.

Why is this a big deal? Imagine that you're at an airport lounge, waiting to board your flight, and you pop open your laptop to see if you can hop on an open wireless network. Bear in mind that there are plenty of tools available that let miscreants create fake wireless access points for the purposes of routing your connection through their computer. You connect to that fake network, thinking you can check your favorite team's sports scores. A few seconds later, some application on your system says there's a software update available. You approve the update.

You're hosed.

Or maybe you don't approve the update. But that may not matter, because in some cases, auto-update features embedded in certain software titles will go ahead and download the update at that point, and keep nagging you until you agree to install it at a later date.

Again, hosed.

"Think of all the clueless people who go through the airport and connect to free Wi-Fi," said Matt Richard, director of rapid response for Dulles, Va. based security firm iDefense. "The potential for this is just huge."

In a telephone interview with Security Fix, Amato said he released the toolkit to prod software makers to begin signing their updates.

"There are a lot of companies that work in hardening their security," Amato said. "But some vendors don't care. They do security when someone finds the problem."

Amato said he first detailed his exploit tool at the Ekoparty security conference in Argentina last summer. He publicly released the tool this week after hearing about the massively pervasive domain-name vulnerability that allows hackers to hijack users' Internet connections, which was detailed earlier this month by Dan Kaminsky. (For more information on Kaminsky's DNS flaw, please see this blog post).

To bring this full circle, if you go online using an Internet service provider that remains vulnerable to Kaminsky's exploit, an attacker could easily gain access to all customers of that ISP and issue them fake update notices.

Amato's advisory notes that iTunes and Mac OS X products are vulnerable to this type of attack, but Amato told me Apple fixed the problem with its OS X updater back in Dec. 2007. He also said the latest version of the Apple Software Update program for Windows includes new security protections.

"In the case of OS X, we are using an exploit that was patched," Amato said. "In the case of iTunes [Apple] implemented a stronger update process."

You might be asking yourself at this point: "If I can't trust the vendor for automatic software updates, who can I trust?" I don't think this is one of those "the sky is falling" type problems, but let me offer a couple of pointers. The surest way to protect yourself from becoming a victim is to uninstall the vulnerable software titles. But you'd be right in wondering which software titles are vulnerable, because the list is likely extensive.

One fix is to disable automatic updates for the vulnerable applications. Some of the most commonly known vulnerable apps include Java, the LinkedIn Toolbar, OpenOffice, Winzip, and Winamp. Obviously, this is a sub-par solution, since I spend a lot of time encouraging people to enable the update features.

In any event, here's hoping that the release of this tool will encourage more software vendors to digitally sign their updates. Amato said Sun (Java), LinkedIn, Notepad Plus, and OpenOffice have already replied to his advisory, saying they are working on an update to plug the security hole.

Tongue firmly in cheek: Just make sure that when those updates are eventually offered, you're not updating while connected to the local Starbucks Wi-Fi network, or via an ISP that hasn't yet addressed Kaminsky's DNS vulnerability.

By Brian Krebs  |  July 30, 2008; 12:01 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Three Quarters of Malicious Web Sites Are Hacked
Next: Fun with Spam Subject Lines

Comments

Subsequent to the referenced article, when I contacted Earthlink's Office of General Counsel in Florida, I was advised that within several weeks Earthlink anticipated having their DNS servers protected.

Accordingly, I am forwarding this article to Earthlink's Office of General Counsel for 'further review.'

Posted by: brucerealtor | July 30, 2008 4:43 AM | Report abuse

Just a pendantic remark first, you don't sign with an encryption key, but with a signature key. A encryption key is used to ... encrypt. You might want to use the generic term cryptographic key.

Back to the topic. My windows machine has so many tray icons, background processes and annoying popups just because of applications that want to check for updates once in a while.

At least some applications (very few) use Windows' "Schedule" service.

What I really don't understand is why Windows doesn't provide a unified update center with an API like it does for the security center.

Applications could register an update URL and a public key for signatures at install time, and Windows would manage downloading and verifying updates as well as frequencies etc. all within a unified GUI and a single service.

Posted by: Dom | July 30, 2008 4:51 AM | Report abuse

ANyone who allows their system to be 'automatically updated' is asking for trouble.

Not to mention the irritation of having an 'update' applied, only to have to reboot your machine, and fend off a toolbar or two, because the 'update' was essentially a full install, including stuff you didn't have, or want, before.

If I have to decline a Yahoo, or Google toolbar one more time, I'm simply going to remove the offending software, and never look back.

Posted by: Fred Evil | July 30, 2008 10:24 AM | Report abuse

BOTH Yahoo AND Google need to stop bundling their toolbars.

They are acting like viruses.

Posted by: vp | July 30, 2008 10:59 AM | Report abuse

@ Dom
Surely you must mean pedantic. Otherwise, IMHO, a good post.

Posted by: Pete from Arlington | July 30, 2008 11:00 AM | Report abuse

@Pete
I knew you should always proofread twice when you make this kind of remarks :-D

Posted by: Dom | July 30, 2008 11:49 AM | Report abuse

Dom,

"I know I should always proofread twice when I make these kinds of remarks."

(Couldn't resist.)

Posted by: Heron | July 30, 2008 1:41 PM | Report abuse

@Heron
Well, for my defense, I'm not a native English speaker and I actually hesitated on that one. But enough off-topic chatter.

Posted by: Dom | July 30, 2008 2:26 PM | Report abuse

Forgive my ignorance, but why does your example single out free Wi-Fi connections? Is there reason to believe that "compensated" Wi-Fi (or even common hard-wired ISP) connections are safe from this exploit?

Posted by: Neill | July 30, 2008 3:10 PM | Report abuse

I remotely administer my mother-in-law's PC 900 miles away, as well as the setups on most of my family's computers. I only allow Windows, Norton 360, and Spybot (definitions only) to auto-update themselves. For everything else, I use FileHippo.com's free Update Checker program to alert me that an update is available for Spybot, Real Player, QuickTime, Google, Java, OpenOffice, Adobe, Shockwave, Flash, etc., etc., software. Then, if I chose to install the update, FileHippo provides a link to a place within their site where they maintain a vendor-provided copy of the update's installation software.

You can add CouponPrinter, from Coupons.com, to the list of suspect software--my mother-in-law downloaded that recently to her system, and it's driven her to the point of threatening to disconnect her computer. She was blaming Spybot for the problems, when it and WinPatrol were only trying to warn her about the problem--and I found in Spybot's log that it had quarantined CouponPrinter (plus, Ad-Aware found almost 400 tracking cookies on her system--well above the normal number associated with her limited web surfing).

Posted by: TidewaterVaAccent | July 30, 2008 11:11 PM | Report abuse

You are about God's work as far as helping your mother-in-law maintain her PC security. Keep it up!

Posted by: @ Tidewater | July 31, 2008 12:17 PM | Report abuse

@TidewaterVaAccent

Sounds like you got a secure methodology there. ;)

Posted by: Rick | July 31, 2008 12:39 PM | Report abuse

Setting your workstation's DNS servers to opendns.org (208.67.222.222, 208.67.220.220) is a good practice. They are patched and can provide filtering.

Posted by: A Security Guy | July 31, 2008 1:42 PM | Report abuse

@A Security Guy:
Fixing the recent DNS flaw plugs only one possible way to compromise unsigned updates. If your victim is on a typical Airport/Hotel/Cafe WiFi network you can easily compromise unsigned updates in other ways.

Mozilla is not mentioned in the list, but in case people assume the worst I'd like to note that we've always been paranoid about just this attack and Firefox is not susceptible.

Posted by: Dan Veditz | August 3, 2008 4:15 PM | Report abuse

Wow. Free should mean "users beware" when hooking up to the wireless network. Thank goodness I used my aircard when I need to sign on to read my mail or do my banking. But then again somebody is always out there trying to take other peoples hard earn buck.

Posted by: c. swart | August 11, 2008 1:50 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company