On 02/08/2008 18:23, David B Teague wrote:
Lisi Reisz wrote:
On Saturday 02 August 2008 17:49:40 David B Teague wrote:
This is a very brief summary from this web site
http://blogs.pcmag.com/securitywatch/2008/07/evilgrade_exploit_toolkit_atta
.php
The article says the EvilGrade Exploit tool kit is able to attack
systems using the "man in the middle", attacking through the
installation mechanism.
It actually says "updates" not installation (my stars):
<quote>
infecting systems through the **update** mechanism, according to a
ZDNet blog. The attackers claim, in the Readme for the kit, to have
modules implemented to attack the following product **updates**
</quote>
The attacker specifically mentions OO.o in the kit "ReadMe".
No, it says:"OpenOffices"
This is not the correct name of this program (or site) and OOo does
not have updates as such.
I doubt they have achieved what they claim, tho' that doesn't mean
that we can all be complacent.
OK, they committed a spelling error, but if they HAVE compromised
OpenOffice.org as I think they are suggesting, the spelling error in
their "ReadMe" will not make any difference at all. We will have given
them access to our systems through the installer.
I do not pretend to understand all this, but I do understand the idea
of threat. At present, to update OO.o, I download a Windows
installation file, and run it. I don't see any mechanism for signature
or do I see easy access to checksums.
I assure you in the future, I will be looking for checksums. I would
prefer have digital signatures for installation files. If checksums
will assure me no one has fiddled with the installer, I'll gladly go
through the process of confirming check sums.
Now, would someone answer my questions?
Is Lisi is right, there is no danger because of the difference between
"updates" and "installers"?
Is there any intent to introduce digital signatures?
Do checksums do the same thing as digital signatures?
David Teague
The attack described relies on a "live" update mechanism in which the
current version of the software (OOo, iTunes, Adobe Acrobat, whatever)
installed on your computer automatically goes to a server somewhere,
decides there is a new version of itself and automatically (possibly
with your permission) downloads and runs the appropriate file(s). Given
such a mechanism, the attack works by diverting the software to the
attacker's server and persuading it to download and run the file(s) from
there. Note that Windows Update works like this and is therefore
possibly vulnerable to the attack described. I *think* the same is true
of many Linux package managers. Not at all sure about Macs but I
wouldn't be surprised given how iTunes works in this regard.
There are two ways to protect against this. The simplest is to have the
software check that the server it is actually connected to is the server
to which it should be connected. Reverse DNS is at least a partial
solution here although even that can be compromised, albeit with much
greater difficulty.
The other way is via digital signature. The software would have the
relevant public key securely available to it together with the mechanism
to check the digital signature(s) of the file(s) it wants to download.
MD5 wouldn't be useful here. Nor would any other hash algorithm.
The problem with digital signatures is that the software is not readily
available in all the countries in which OOo is used and there would be
quite serious legal problems providing it.
OOo, on Windows at least, has a "live" mechanism built in although I
never use it. Instead I always go directly to the OOo web site, download
the new version and run it by hand. In this case the attack described
can't work because I'm getting the file from the right place. Also in
this case MD5 is perfectly adequate providing the OOo web site hasn't
been hacked. If an attacker can plant his file (and therefore his
version of the checksum) on the OOo web site then no checksum algorithm
is going to help. In this case the only way is via a digital signature
providing that the place from where you get OOo's public key hasn't been
compromised. If you were to get and believe the attacker's version of
OOo's public key then all would be lost. This then raises the whole set
of issues surrounding PKI (Public Key Infrastructure) schemes and that's
just too OT to go into here.
--
Harold Fuchs
London, England
Please reply *only* to [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
