lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 31 Oct 2010 14:24:59 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: Mario Vilas <mvilas@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	Valdis.Kletnieks@...edu
Subject: Re: Evilgrade 2.0 - the update explotation
 framework is back

Only thing, there's the danger of someone using stolen certificates.
But I'm sure there's another fix for that.

In my opinion, all in all, you're creating a yet another overly complex
system with as yet more possible flaws.
Don't forget tat each new line of code is a potential attack vector which
affects any system.

Just my 2 cents...

Chris.


On Sun, Oct 31, 2010 at 1:09 PM, Mario Vilas <mvilas@...il.com> wrote:

> Just signing the update packages prevents this attack, so it's not that
> hard to fix.
>
> On Sat, Oct 30, 2010 at 5:02 PM, <Valdis.Kletnieks@...edu> wrote:
>
>> On Sat, 30 Oct 2010 04:43:14 +0800, Jacky Jack said:
>> > It's now a time for vendors to re-consider their updating scheme.
>>
>> And do what differently, exactly?
>>
>> OK, so it's *possible* to fake out the iTunes update process.  But which
>> is easier
>> and more productive:
>>
>> A) Laying in wait for some random to think "Wow, I should update iTunes"
>> and
>> hijack the process.
>>
>> B) Send out a few hundred thousand spam with a '
>> From:update@...le-itunes-support.com<From%3Aupdate@...le-itunes-support.com>
>> '
>> with a link to a site you control and feed the the sheep some malware.
>>
>> Evilgrade looks like a nice tool to have if you're doing a pen test or a
>> targeted attack and can somehow get the victim to do an update (possibly
>> social
>> engineering), but for any software vendor feeding software updates to Joe
>> Sixpack this threat model is *so* far down the list it isn't funny.
>>  Simply
>> compare the number of boxes pwned by (A) and (B) - how many people have
>> gotten
>> pwned because somebody hijacked their update from Symantec or wherever,
>> compared to the number pwned because they got a popup that said "Your
>> computer
>> is infected, click here to fix it"?
>>
>> Remember - just because a new tool useful for an attacker shows up, does
>> *not*
>> mean it's a game changer for the industry at large.
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> HONEY: I want to… put some powder on my nose.
> GEORGE: Martha, won’t you show her where we keep the euphemism?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ