lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 4 Apr 2012 02:31:31 -0400
From: Charles Morris <cmorris@...odu.edu>
To: Adam Behnke <adam@...osecinstitute.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Hacking AutoUpdate by Injecting Fake Updates

Welcome to 2002

On Tue, Apr 3, 2012 at 10:01 AM, Adam Behnke <adam@...osecinstitute.com> wrote:
> We all know that hackers are constantly trying to steal private information
> by getting into the victim's system, either by exploiting the software
> installed in the system or by some other means. By performing routine
> updates for their software, consumers can protect themselves, patching known
> vulnerabilities and therefore greatly reducing the chance of getting hacked.
>
> Commonly used software, such as MS Office, Adobe Flash and PDF reader (as
> well as the browsers themselves) are the major targets for exploits if left
> unpatched. In the past, fake patches for Firefox, IE, etc. displayed
> messages informing users that updated versions for a plugin or the browser
> were available, prompting the user to update their software. For example,
> the page will tell the user that updating their Flash version is critical.
> Once the user clicks the fake update, it will download malicious content
> (like, for example, the Zeus Trojan) to the victim's computer, as well as
> perhaps a rogue anti-virus, asking the user to pay in order to remove the
> infections. Similar attacks have been done in the past for various browsers,
> too.
>
> When you think about it, how many people are really cautious about the
> updates, the type of update or the link from where they are downloading and
> installing the update? Obviously, there are very few people that are really
> cautious and vigilant about updates, therefore making the success rates for
> those exploiting the users high.
>
> Read more about how to perform a few different AutoUpdate man-in-the-middle
> attacks that work against Java, AppleUpdate, Google Analytics, Skype,
> Blackberry and more: http://www.ethicalhacking.com
>
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists