Exploit Prods Software Firms to Update Their Updaters
A security researcher has released a set of tools that make it simple for attackers to exploit weaknesses in the auto-update feature of many popular software titles.
By targeting widely deployed programs such as Java, OpenOffice, Winamp and Winzip, that don't use a digital signature on their product updates, attackers can impersonate those companies and trick users into believing they are updating their software, when in reality the users may be uploading a package designed to compromise the security of their computer.
Software companies should include these signatures in all of their updates, so that a user's computer can validate that the update was indeed sent by the vendor. For example, Microsoft signs all of its updates with an encryption key that only it knows, and Windows machines are configured to ignore any incoming software update alerts that are not signed with that key.
For whatever reason, Java, Winamp, Winzip (and no doubt dozens of other software titles with auto-update capabilities who haven't been named yet) have chosen not to sign their updates.
Enter Francisco Amato. On Monday, the Buenos Aires based researcher released "evilgrade," a toolkit that lets anyone send out bogus automatic update alerts to users of software titles that don't sign their updates.
Why is this a big deal? Imagine that you're at an airport lounge, waiting to board your flight, and you pop open your laptop to see if you can hop on an open wireless network. Bear in mind that there are plenty of tools available that let miscreants create fake wireless access points for the purposes of routing your connection through their computer. You connect to that fake network, thinking you can check your favorite team's sports scores. A few seconds later, some application on your system says there's a software update available. You approve the update.
Or maybe you don't approve the update. But that may not matter, because in some cases, auto-update features embedded in certain software titles will go ahead and download the update at that point, and keep nagging you until you agree to install it at a later date.
"Think of all the clueless people who go through the airport and connect to free Wi-Fi," said Matt Richard, director of rapid response for Dulles, Va. based security firm iDefense. "The potential for this is just huge."
In a telephone interview with Security Fix, Amato said he released the toolkit to prod software makers to begin signing their updates.
"There are a lot of companies that work in hardening their security," Amato said. "But some vendors don't care. They do security when someone finds the problem."
Amato said he first detailed his exploit tool at the Ekoparty security conference in Argentina last summer. He publicly released the tool this week after hearing about the massively pervasive domain-name vulnerability that allows hackers to hijack users' Internet connections, which was detailed earlier this month by Dan Kaminsky. (For more information on Kaminsky's DNS flaw, please see this blog post).
To bring this full circle, if you go online using an Internet service provider that remains vulnerable to Kaminsky's exploit, an attacker could easily gain access to all customers of that ISP and issue them fake update notices.
Amato's advisory notes that iTunes and Mac OS X products are vulnerable to this type of attack, but Amato told me Apple fixed the problem with its OS X updater back in Dec. 2007. He also said the latest version of the Apple Software Update program for Windows includes new security protections.
"In the case of OS X, we are using an exploit that was patched," Amato said. "In the case of iTunes [Apple] implemented a stronger update process."
You might be asking yourself at this point: "If I can't trust the vendor for automatic software updates, who can I trust?" I don't think this is one of those "the sky is falling" type problems, but let me offer a couple of pointers. The surest way to protect yourself from becoming a victim is to uninstall the vulnerable software titles. But you'd be right in wondering which software titles are vulnerable, because the list is likely extensive.
One fix is to disable automatic updates for the vulnerable applications. Some of the most commonly known vulnerable apps include Java, the LinkedIn Toolbar, OpenOffice, Winzip, and Winamp. Obviously, this is a sub-par solution, since I spend a lot of time encouraging people to enable the update features.
In any event, here's hoping that the release of this tool will encourage more software vendors to digitally sign their updates. Amato said Sun (Java), LinkedIn, Notepad Plus, and OpenOffice have already replied to his advisory, saying they are working on an update to plug the security hole.
Tongue firmly in cheek: Just make sure that when those updates are eventually offered, you're not updating while connected to the local Starbucks Wi-Fi network, or via an ISP that hasn't yet addressed Kaminsky's DNS vulnerability.
July 30, 2008; 12:01 AM ET
Categories: Fraud , From the Bunker , Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: Three Quarters of Malicious Web Sites Are Hacked
Next: Fun with Spam Subject Lines
Posted by: brucerealtor | July 30, 2008 4:43 AM | Report abuse
Posted by: Dom | July 30, 2008 4:51 AM | Report abuse
Posted by: Fred Evil | July 30, 2008 10:24 AM | Report abuse
Posted by: vp | July 30, 2008 10:59 AM | Report abuse
Posted by: Pete from Arlington | July 30, 2008 11:00 AM | Report abuse
Posted by: Dom | July 30, 2008 11:49 AM | Report abuse
Posted by: Heron | July 30, 2008 1:41 PM | Report abuse
Posted by: Dom | July 30, 2008 2:26 PM | Report abuse
Posted by: Neill | July 30, 2008 3:10 PM | Report abuse
Posted by: TidewaterVaAccent | July 30, 2008 11:11 PM | Report abuse
Posted by: @ Tidewater | July 31, 2008 12:17 PM | Report abuse
Posted by: Rick | July 31, 2008 12:39 PM | Report abuse
Posted by: A Security Guy | July 31, 2008 1:42 PM | Report abuse
Posted by: Dan Veditz | August 3, 2008 4:15 PM | Report abuse
Posted by: c. swart | August 11, 2008 1:50 PM | Report abuse
The comments to this entry are closed.