Vulnerabilities / Threats

8/4/2009
02:06 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Software Updates Vulnerable To Hijacking

Public Wi-Fi networks present a risk to connected users even if they're not surfing the Internet, thanks to applications that try to update themselves automatically.

The security risks posed by the use public Wi-Fi networks have been known for years, but even cautious computer users may be vulnerable to attack when connected to public Wi-Fi networks as a result of the widespread insecurity of automated software updates.

In a recent presentation at the DEFCON security conference in Las Vegas, Radware security researchers Itzik Kotler and Tomer Bitton revealed that hundreds of popular applications are vulnerable to a man-in-the-middle attack because they rely on a flawed software update process.

To demonstrate the flaw, Kotler and Bitton have released software called ippon-mitm that can hijack software update sessions and answer update queries by returning malware to the requesting computer. Often, a user will be unaware that an update query has been sent and intercepted and may continuing to enter sensitive information into the compromised computer.

The researchers said that the update mechanisms in Alcohol 120, Adobe PDF Reader, GOM Player, Hex Workshop, iMesh, and Skype, among other applications, were vulnerable.

Kotler declined to name the rest of the vulnerable applications, saying that his company has been in contact with the appropriate vendors to inform them about the problem. A company spokesperson was not immediately available to clarify whether any of the vulnerable applications have been patched since the DEFCON presentation.

"In a clear Wi-Fi situation everything is open," Kotler said. "I can pretend to be Google. If I know the victim, I can DNS poison the cache."

Kotler warns that the attack, once successful, can turn an infected machine into a source of contagion that attacks other machines on the network.

Unlike Microsoft, which uses public key cryptography to keep its updates secure, most vendors have no update authentication system built into their update process.

"They have to take the time and invest in research to figure out how to conduct updates in a more secure manner," said Kotler.

InformationWeek Analytics has published an independent analysis on data-loss prevention. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.