Full Disclosure mailing list archives

Re: Evilgrade 2.0 - the update explotation framework is back

From: Mario Vilas <mvilas () gmail com>
Date: Mon, 1 Nov 2010 15:01:03 +0100

It would indeed be vulnerable to that, and you're also right about this
attack vector being quite small.

But IMHO an updates mechanism that signs it's packages it quite easy to
implement, so we're talking about getting a tangible benefit from a small
effort. Preventing the signing key from being stolen is a different matter
entirely - it has to do with the vendor's own network infrastructure
security. Unsigned updates, on the other hand, rely on the client network's
security, which cannot be controlled by the vendor.

In other words, a signed updates mechanism is clearly more secure than an
unsigned updates mechanism, even if none of both can be 100% secure, and it
comes at very little cost. Also, there's no such thing as a 100% secure
system. :)

BTW, I don't think the programmers of each application should be developing
their own signature code. Never code your own crypto, just use what's
available. Also, I believe the operating system should provide the
mechanism, not the application.

On Sun, Oct 31, 2010 at 3:36 PM, <Valdis.Kletnieks () vt edu> wrote:

On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said:

Just signing the update packages prevents this attack, so it's not that

hard

to fix.


Except if a signing key gets compromised, as happened to one Linux vendor
recently, causing a lot of kerfluffle...  Setting up a proper signing
system
involves a certain amount of actual cost and effort.  And every
organization
that produces code, be it for-profit proprietary code or free open-source
code,
has to make resource tradeoffs.

Is there any actual *evidence* that hijacking "authorized" updates is a big
enough problem to be worth it?  If each year, 5 of their customers get
pwned
by the sort of attack that Evilgrade does, but 50,000 get pwned by "click
here"
popups that code signing won't do squat to prevent, is it really worth
their
time and effort?  Sure, sucks to be one of the 5, but if they instead spend
the
resources to do something *else* to make their customer's lives better that
would
benefit thousands rather than the 5....




-- 
HONEY: I want to… put some powder on my nose.
GEORGE: Martha, won’t you show her where we keep the euphemism?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Evilgrade 2.0 - the update explotation framework is back Mario Vilas (Nov 01)
- <Possible follow-ups>
- Re: Evilgrade 2.0 - the update explotation framework is back Jeffrey Walton (Nov 01)
  - Re: Evilgrade 2.0 - the update explotation framework is back Christian Sciberras (Nov 01)
  - Re: Evilgrade 2.0 - the update explotation framework is back Jhfjjf Hfdsjj (Nov 01)
    - Re: Evilgrade 2.0 - the update explotation framework is back Jeffrey Walton (Nov 01)
    - Re: Evilgrade 2.0 - the update explotation framework is back Jhfjjf Hfdsjj (Nov 01)
- Re: Evilgrade 2.0 - the update explotation framework is back T Biehn (Nov 02)
  - Re: Evilgrade 2.0 - the update explotation framework is back Christian Sciberras (Nov 02)