[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
- To: Mario Vilas <mvilas@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
- From: Christian Sciberras <uuf6429@xxxxxxxxx>
- Date: Sun, 31 Oct 2010 14:24:59 +0100
Only thing, there's the danger of someone using stolen certificates.
But I'm sure there's another fix for that.
In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector which
affects any system.
Just my 2 cents...
Chris.
On Sun, Oct 31, 2010 at 1:09 PM, Mario Vilas <mvilas@xxxxxxxxx> wrote:
> Just signing the update packages prevents this attack, so it's not that
> hard to fix.
>
> On Sat, Oct 30, 2010 at 5:02 PM, <Valdis.Kletnieks@xxxxxx> wrote:
>
>> On Sat, 30 Oct 2010 04:43:14 +0800, Jacky Jack said:
>> > It's now a time for vendors to re-consider their updating scheme.
>>
>> And do what differently, exactly?
>>
>> OK, so it's *possible* to fake out the iTunes update process. But which
>> is easier
>> and more productive:
>>
>> A) Laying in wait for some random to think "Wow, I should update iTunes"
>> and
>> hijack the process.
>>
>> B) Send out a few hundred thousand spam with a '
>> From:update@xxxxxxxxxxxxxxxxxxxxxxxx<From%3Aupdate@xxxxxxxxxxxxxxxxxxxxxxxx>
>> '
>> with a link to a site you control and feed the the sheep some malware.
>>
>> Evilgrade looks like a nice tool to have if you're doing a pen test or a
>> targeted attack and can somehow get the victim to do an update (possibly
>> social
>> engineering), but for any software vendor feeding software updates to Joe
>> Sixpack this threat model is *so* far down the list it isn't funny.
>> Simply
>> compare the number of boxes pwned by (A) and (B) - how many people have
>> gotten
>> pwned because somebody hijacked their update from Symantec or wherever,
>> compared to the number pwned because they got a popup that said "Your
>> computer
>> is infected, click here to fix it"?
>>
>> Remember - just because a new tool useful for an attacker shows up, does
>> *not*
>> mean it's a game changer for the industry at large.
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> HONEY: I want to… put some powder on my nose.
> GEORGE: Martha, won’t you show her where we keep the euphemism?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/