Exploit code targets Mac OS X, iTunes, Java, Winzip... A researcher from Argentina has released an exploit package that can install malware on end user machines that run iTunes, Mac OS X, Winzip and a host of other popular software. Evilgrade is the brainchild of Francisco Amato and works by exploiting weaknesses in the automatic upgrade feature of an affected program or operating …
It isn't actually an exploit as such is it? The guy is just saying "if I've compromised your DNS lookup, I can do all sorts of things to fool you". Which is a bit like saying "I can steal your car ... all I need are the keys to your car".
To be honest, if you've got a bent DNS you are open to all sorts of trouble anyway, right?
Mr Average User sees a dialogue pop up saying "An update is available, install Y/N" and will pretty likely hit the yes button without even thinking about it. If he types in the URL for, say, a news site and is presented with a spoofed page asking for login details that he doesn't normally see, he's more likely to think there's something amiss and not reveal any sensitive data. In the meantime, whatever trojan is running around as a result of that "update" is busy pulling any sensitive data it can find and sending it back to base.
I'd say that's pretty serious.
Most people would automatically trust a dialogue box that prompted a user to download and install updates to <insert name of trusted software here>. Much software has an autoupdate option these days, and in most cases it is enabled by default. This exploit along with spoofing could be modified to subvert any auto update process. Time for end to end encrypted updating via VPN in transport mode using signed and hashed files with the client initiating the connection?
Once cracking was the realm of intelligent and smart people, people unlike me, who knew the systems and protocols involved inside out. As a novice security researcher I have welcomed the arrival of tools like Backtrack and KCpentrix. I read the code and learn, hopefully I will one day consider myself smart. Unfortunately the arrival of these tools has also allowed anyone who can use a GUI to become a cracker. They have dumbed down cracking, just has MS have dumbed down PC use so that any retard can troll forums and spam newsgroups. Now any retard can own your PC.
I have always with the exception of Firefox and Avast manually updated software via download from the developers website. I have never trusted auto update functions, paranoia? It would seem not. Perhaps it is now time to to manually update Firefox and my AV signatures too. In my last position, I never allowed auto updating of anything, I would download and test the update/patch and if satisfied I would then deploy. It did create more work for myself and I would occasionally have to work late to catch up but I was sure that update was legitimate and would not break any of the client machines.
As a footnote, one should also be concerned about Firefox addons. It has come to my attention that binary libraries can be included in the XPI archive and the code can do anything with the machine that the current user has rights to do. I have not come across a malicious Firefox addon yet, although this doesn't mean they don't exist.... Be careful out there
Check out the widget thing on the right hand side of www.doxpara.com to find out whether "the guy" has the keys to your car.
For many major ISPs, if you're using their default DNS settings then he does. For their customers, it is an exploit "as such".
If you fail the test on doxpara.com, then any script kiddie with Metasploit can poison your DNS cache in seconds. That's why this is news now. DNS should not be considered safe at the moment (or ever, but especially at the moment).
What proportion of laptop users know when they get one of those "updated software is available" bubbles while attached to an insecure network, which software it's OK to go ahead with because it authenticates the download, and which software it isn't?
I think it's actually quite outrageous for some application to download unauthenticated code (in this case an updater) off the internet and execute it. People have been loudly complaining at Microsoft for years because IE and Outlook vulnerabilities allow just that, and painstakingly teaching users not to click email attachments. Meanwhile Sun, Apple and others have been doing exactly the same thing all along.
Open Source: The point to me is that I know what the ingredients of an open source software solution is. If it contains poison, I can see it, If it wants to phone home and tell the developers the nature of porn I view, I am aware of it. If there is a back door I can see it. If it is broke or does not work on my particular set up I can attempt to fix it. Open source software is reviewed by many independent developers with differing agendas. I trust the content of open source software because of this independent peer review, this does not mean that it is free of vulnerabilities, bugs or flaws. Just free of bullshit lies and deceit.
Sounds like turning off automatic updates in whatever you're using will prevent this. That, and turning off admin access while running an affected piece of software.
Oh, and once again, the imminent death of the Internet via DNS is predicted. Seems like I shouldn't be able to visit theregister.co.uk anymore.
I don't understand how Infobyte can possibly think it is OK to make this tool publicly available. I understand that there are circumstances in which publicising a vulnerability helps encourage people to fix it, but this seems like such a blatantly irresponsible move. I guess I could say the same for Metasploit?
A Linux emulation library for Windows got it's name from Cygnus corp now Red Hat. Supposed to be a training ground for those who want to work with Linux first before they commit in practice it's a pita has probably frightened and confused more people than it's helped. If it sounds like I don't like the Cygwin environment you're right it isn't needed anymore since the advent of live cd's and if it's got a vulnerability just another reason to ignore it. Anyway back to your regularly scheduled trolls and flames.
Open source vs. closed source is a pointless distinction for the 99.9% of computer users who don't write code. If you download the binaries, you have *no idea* what is in them, or indeed where they came from. Anything can be spoofed, as the internet was designed to be robust, not secure. It is effectivly anonymous, despite all the recent privacy/data mining/phorm type stuff, because end users have no way of telling that the *provider* is genuine, you just have to trust them.
The whole net as it stands is hack built on hack built on 30-year-old-hack, and the conflicting requirements of privacy, anonymity, verification, mobility, deniability, accountability, and trust will never be reconciled until we start from the ground and rebuild the net (and all of 'connected computing', (ghastly phrase,)) to include all these things.
It's not about OS wars, corporate giants vs public spirited coders, or any of that bullsh1te, fundamentaly it's about trust, and at the moment you can't trust anyone.
Where's the icon showing a precariously balanced pile of hardware with a confused looking punter at the top when you need it?
All http traffic should always be considered insecure as it is all vulnerable to man in the middle attacks.
Any updater that uses unvalidated binaries from http will be vulnerable. Though the developers can be accused of bad decisions when choosing to rely on plain http in the first place, the vulnerability doesn't technically lie with the updater per say.
Even if the updater used https or other key management, an initial download over http would still be potentially suspect. And virtually all downloads these days are over plain http.
...while feeding the troll by the other end...
non-authenticated updates (and especially automatic ones) are BAD. But as stated by Graham, if your DNS is pwned, you're deep in a smelly sticky one anyway. Especially if your OS doesn't have a centralized repository where you can get signed updates for your software. Like, when you have to get third-party applications for pretty much everything. Now Windows doesn't look like such a smart choice anymore, huh? As for me, I know I'm safe, on my desktop and laptop I'm using Debian and it's flawless encryption keys*. Oh wait...
*I know, I know. Just had to say it.
You were faster. I also wanted to ask what happened to good old HTTPS (and SSL in general). But I think I know - asymmetric cryptography is very expensive on the server side, as CPU utilization per connection is several orders of magnitude higher than plain HTTP. This especially matters when one needs to handle large number of concurrent client connections. Large number of concurrent connections is what autoupdaters are about - many users automatically and often checking they have the most recent version and downloading patches. There are accelerators, but these are not cheap. Hosting them in places like AKAMAI, with publishers private keys, has its own challenges. Still, I think that recent developments in CPU (and general purpose GPUs) should be put to good use.
I use Cygwin (Xserver and twm, basic and brilliant) every day as I need to be on Windows and lots of UNIX hosts similltaneously; have done for years at various employers. Live CDs do not do the same. It is really excellent.
We all have our favourite tools, windows, mac or whatever. It is just a shame that the same mindset as that that vandalises bus shelters and sprays ugly rubbish around ("graffiti" and "tags") has discovered computers.
Even sadder, so much of our most useful software, such as DNS, was designed and written in a hurry under the mindset that assumed only clever, nice people use computers.
As the style of comment on these pages often shows, such as that about operating systems, other posters and cygwin, a large proportion of computer users are not nice, not clever and have many social problems with their behaviour and ability to express themselves. So we have to play down to the lowest common denominator and programme very carefully for even the most trivial scripts on the most secure of systems (with the possible exception of those not on a network and in a locked room, oh, and turned off except when in active use).
Is not a major point of Open Source that it is free and that it is modifiable by the end user if desired, thus providing possible improvement for all and tailoring for an individual end user?
Thanks for the info, AC and Steve.
So really the point is that any unsigned update system is vulnerable because you can easily pretend to be the updater for that program. I think there is still some lameness in the article because it's hardly a major revelation that you can do that. If you could patent exploits, I think this one would be declined for being obvious.
Also, assuming that all your software vendors magically modify their updaters so that they use a secure system, aren't you still more vulnerable to phishing attacks via fake banking sites and so on? I would have thought that was really easy to do, from a criminal's point of view.
Finally, I think the article should mention that you don't have to use your ISP's default nameservers. I steered my network to OpenDNS, which is apparently safe according to the online checker.
Reg has run a couple of articles on the DNS vulnerability itself, and how to work around it. Everyone agrees, patch or switch.
I'm still reserving personal judgement on whether switching to OpenDNS is a full solution. Certainly it's the best advice available. You definitely don't want to be using a known-vulnerable server belonging to an ISP, because it will get poisoned, and probably sooner rather than later.
Remember I said that if you fail the test on Doxpara, then script kiddies can poison your DNS cache. I didn't say that if you pass the test, they can't. All Doxpara's test sees is the "last leg" of the DNS request from OpenDNS (or whatever) to doxdns1.com. It doesn't see the communication between your PC and that DNS cache.
I'm not sure, but I suspect, that there are some circumstances where that part of the communication could still be vulnerable. Basically, there would need to be a vulnerable caching DNS resolver involved somewhere, for example in a home firewall/router. Then any attacker may be able to poison that cache, which doxpara's test doesn't see and can't comment on.
That attack is hopefully unlikely, since at the moment there are richer pickings to be had attacking major ISPs than individual home networks. But if there's no cache you're safer, so personally I think it's best to disable any DNS services provided by routers if you can. I've yet to hear expert advice on that particular subject, though, it's all been the general "patch all DNS servers". I don't know which popular home routers do DNS caching.
Maybe the assumption is that if you're smart enough to redirect your DNS requests to OpenDNS, then you're smart enough to identify and patch or disable any other DNS caches in your vicinity. I found though that my router's documentation says that it can run a DNS server for use from the network, but doesn't say whether it caches or just forwards every request.
It occurs to me that one way to validate websites would be the following:
Upon arrival at my bank's website, for example, the website could authenticate itself by sending info to an authentication server which would send back an encrypted reply to the site's server, which would then be decrypted and displayed to the user.
Granted, it's late and I'm half in the bag, but it seems plausible to me.
Perhaps I'm an ignoramus though; there might be a dozen reasons why that would never work, for all I know. I'd be interested in hearing them.
I think the hole in that solution is that hackers can spoof the whole thing (bank server, authentication server etc.) once they have control of your DNS.
It's a smoke-and-mirrors thing. 99.9% of users would be easily fooled by a fake banking site. You could even set up a proxy site in front of the real banking site, so that the user's transaction completes normally (i.e. not arousing suspicion) while you (the hacker) keep the session open afterwards and plunder the account.
That's why DNS hacking is so dangerous and also why I think the Evilgrade proposal isn't an earth-shattering concept in the realms of computer security. The point is, with control of your DNS a hacker can do *lots* of different things and Francisco Amato just happens to have thought of one of them.
If I understand you correctly, and I think I do, an aspect of my idea would be a prearrangement with the authenticating institution, a special password, let's say, using some form business identification as a username. Then only the true site can authenticate in this manner. The response from the authenticator would likewise be associated with the user in the same manner as a challenge question's answer only in reverse.
The bad guy sits between you and the banking site and can relay all communication in both directions. Any authentication exchange can also be relayed. Once you've said OK to the message that warns you that the SSL certificate doesn't match the banking site that you think your using or isn't signed by a trusted 3rd party then your doomed!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
