[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTi=TJQPx4rPSw6QtJpUbZ6SH7f_xLK3A0rosH+rG@mail.gmail.com>
Date: Tue, 2 Nov 2010 10:09:37 -0400
From: T Biehn <tbiehn@...il.com>
To: Christian Sciberras <uuf6429@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
Valdis.Kletnieks@...edu
Subject: Re: Evilgrade 2.0 - the update explotation
framework is back
a+ troll.
-Travis
On Sun, Oct 31, 2010 at 9:24 AM, Christian Sciberras <uuf6429@...il.com>wrote:
> Only thing, there's the danger of someone using stolen certificates.
> But I'm sure there's another fix for that.
>
> In my opinion, all in all, you're creating a yet another overly complex
> system with as yet more possible flaws.
> Don't forget tat each new line of code is a potential attack vector which
> affects any system.
>
> Just my 2 cents...
>
> Chris.
>
>
>
> On Sun, Oct 31, 2010 at 1:09 PM, Mario Vilas <mvilas@...il.com> wrote:
>
>> Just signing the update packages prevents this attack, so it's not that
>> hard to fix.
>>
>> On Sat, Oct 30, 2010 at 5:02 PM, <Valdis.Kletnieks@...edu> wrote:
>>
>>> On Sat, 30 Oct 2010 04:43:14 +0800, Jacky Jack said:
>>> > It's now a time for vendors to re-consider their updating scheme.
>>>
>>> And do what differently, exactly?
>>>
>>> OK, so it's *possible* to fake out the iTunes update process. But which
>>> is easier
>>> and more productive:
>>>
>>> A) Laying in wait for some random to think "Wow, I should update iTunes"
>>> and
>>> hijack the process.
>>>
>>> B) Send out a few hundred thousand spam with a '
>>> From:update@...le-itunes-support.com<From%3Aupdate@...le-itunes-support.com>
>>> '
>>> with a link to a site you control and feed the the sheep some malware.
>>>
>>> Evilgrade looks like a nice tool to have if you're doing a pen test or a
>>> targeted attack and can somehow get the victim to do an update (possibly
>>> social
>>> engineering), but for any software vendor feeding software updates to Joe
>>> Sixpack this threat model is *so* far down the list it isn't funny.
>>> Simply
>>> compare the number of boxes pwned by (A) and (B) - how many people have
>>> gotten
>>> pwned because somebody hijacked their update from Symantec or wherever,
>>> compared to the number pwned because they got a popup that said "Your
>>> computer
>>> is infected, click here to fix it"?
>>>
>>> Remember - just because a new tool useful for an attacker shows up, does
>>> *not*
>>> mean it's a game changer for the industry at large.
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>>
>> --
>> HONEY: I want to… put some powder on my nose.
>> GEORGE: Martha, won’t you show her where we keep the euphemism?
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists