EvilGrade Exploit tool kit attacks via update mechanism?

Talk about anything at all....

EvilGrade Exploit tool kit attacks via update mechanism?

Postby DavidBassPlayer » Mon Aug 04, 2008 9:09 pm

This is a very brief summary from this web site

http://blogs.pcmag.com/securitywatch/20 ... t_atta.php

The article says the EvilGrade Exploit tool kit claims to be able to attack systems using the "man in the middle", attacking through the "update" mechanism. The attacker mentions OO.o in the kit "ReadMe". The authors of the Exploit kit committed spelling errors, calling OO.o OpenOffices, but this does not comfort me at all.

Open Office can go to the OO.o web site and download new OO.o installation packages, and this appears to be the mechanism this kit can exploit.

It appears MS has protected its customers to some extent because MS only installs updates and installation files that they have digitally signed. Is it possible to get OO.o installers that are digitally signed?

I think I saw that checksums are available for the installation files, but I also hear that the MD5SUM can be forged. Of course check sums primarily are concerned with transmission errors, and digital signing with certifying authorship.

I'd like to hear from informed individuals on the issue of how much danger there is from this and similar malware kits.

David Teague
OOo 2.4.X on Ms Windows XP + Linux
DavidBassPlayer
 
Posts: 1
Joined: Mon Aug 04, 2008 8:07 pm

Re: EvilGrade Exploit tool kit attacks via update mechanism?

Postby Phil » Tue Aug 05, 2008 9:56 am

Hi and welcome David!

Yes, there is indeed a security threat.

However, we have to remember that the threat itself lies in the unpatched DNS servers. There are other attack scenarios apart from the one used by Evilgrade.
I admit, though, that this one is quite malicious.

Indeed Microsoft has mitigated this threat quite effectively by using digital signatures. This could certainly be implemented for OpenOffice as well.
You could file an issue in order to propose such a feature.

In the meantime, it could be a good idea to disable the automatic update function of OpenOffice (and of other software) and to download OpenOffice updates manually. The manually downloaded OpenOffice updates can be checked via md5sums.

Regards, phil
OOo 3.0.1 & DEV-3.1 • WinXP pro 32-bit + SP3 + current patches
Looking for OpenOffice-related information? Try the search engine on OpenOfficeNinja - a great tool!
My favorite extension: Alt. Find & Replace for Writer. All you need and much more...
OOo 2.4.X on Ms Windows XP
Phil
Volunteer
 
Posts: 802
Joined: Fri Nov 30, 2007 5:35 pm
Location: Germany

Re: EvilGrade Exploit tool kit attacks via update mechanism?

Postby Bill » Tue Aug 05, 2008 6:50 pm

Bill
Volunteer
 
Posts: 7333
Joined: Sat Nov 24, 2007 6:48 am

Re: EvilGrade Exploit tool kit attacks via update mechanism?

Postby acknak » Tue Aug 05, 2008 8:25 pm

I don't understand how verifying a hash signature, or using a certificate, will prove anything. Remember, the only way this attack works is if the bad guys have already hijacked your DNS, in which case they can fake a reply for anything you request, including the hash signature or certificate.

The signature only proves that what you downloaded is the same data that was on the server you downloaded it from, unless you can get the signature from a known-trustworthy source, or at least from two different sources.
AOO4/LO5 • Linux • Fedora 23
User avatar
acknak
Moderator
 
Posts: 22756
Joined: Mon Oct 08, 2007 1:25 am
Location: USA:NJ:E3

Re: EvilGrade Exploit tool kit attacks via update mechanism?

Postby Phil » Wed Aug 06, 2008 9:03 am

acknak wrote:The signature only proves that what you downloaded is the same data that was on the server you downloaded it from, unless you can get the signature from a known-trustworthy source, or at least from two different sources.

Yes, indeed there needs to be some concept to ensure this. See the discussion in Malte Timmermann's Blog.

Regards, phil
OOo 3.0.1 & DEV-3.1 • WinXP pro 32-bit + SP3 + current patches
Looking for OpenOffice-related information? Try the search engine on OpenOfficeNinja - a great tool!
My favorite extension: Alt. Find & Replace for Writer. All you need and much more...
OOo 2.4.X on Ms Windows XP
Phil
Volunteer
 
Posts: 802
Joined: Fri Nov 30, 2007 5:35 pm
Location: Germany


Return to General Discussion

Who is online

Users browsing this forum: Google [Bot], Gula88 and 4 guests