Itzik Kotler, security operation center team leader for Radware and Tomer Bitton, security researcher for Radware, say that the hack can be used against most of today's client application updates. The researchers, who will present their research at the Defcon17 hacker confab, also will release a tool they developed for the targeted attack that can inject a phony but realistic-looking update alert or hijack an ongoing update session, and lure the user to download malware instead.
"Most applications do simple HTTP transactions that download a file with the newer version ... We can hijack the session and respond ourselves with an 'application update' and it takes place on our malicious Website," Kotler says. "They are then going to download an update, and voila: it's malware."
The so-called Ippon tool, which is Japanese for "game over," can also generate an attack where a victimized user's machine can attack other machines in its proximity on the WiFi network. "You can take it to a self-propagation method and have it do the same to another victim," he says.
Kotler won't reveal the names of the around 100 applications that are vulnerable to the attack, but said they are the "everyday apps" people use, including CD burners, video players, and other popular apps. Microsoft apps are immune to the attack because Microsoft digitally signs its application updates, Kotler says. "If [an application developer] distributes a public key and signs every binary with their own private key, it's safe" from the attack, he says.
The tool can also be used to attack legitimate applications and Websites. "I can do damage and convince it that this application or Website is malicious," he says.
The attack takes advantage of unsecured WiFi as well as the way these apps run their update processes unsecurely, he says. Users running VPN sessions over WiFi are safe from the attack. "If we're in range [on WiFi], we monitor HTTP requests," he says. "The victim either has to be updating, or you can fake them into thinking there's" an update, he says.
Kotler says the attack basically shuts out the real server and "puts it on mute."
"I don't have to supply a binary -- all I have to do is inject a packet for HTTP redirection," he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.