This is a very brief summary from this web site
http://blogs.pcmag.com/securitywatch/20 ... t_atta.php
The article says the EvilGrade Exploit tool kit claims to be able to attack systems using the "man in the middle", attacking through the "update" mechanism. The attacker mentions OO.o in the kit "ReadMe". The authors of the Exploit kit committed spelling errors, calling OO.o OpenOffices, but this does not comfort me at all.
Open Office can go to the OO.o web site and download new OO.o installation packages, and this appears to be the mechanism this kit can exploit.
It appears MS has protected its customers to some extent because MS only installs updates and installation files that they have digitally signed. Is it possible to get OO.o installers that are digitally signed?
I think I saw that checksums are available for the installation files, but I also hear that the MD5SUM can be forged. Of course check sums primarily are concerned with transmission errors, and digital signing with certifying authorship.
I'd like to hear from informed individuals on the issue of how much danger there is from this and similar malware kits.
David Teague
EvilGrade Exploit tool kit attacks via update mechanism?
-
- Posts: 1
- Joined: Mon Aug 04, 2008 8:07 pm
EvilGrade Exploit tool kit attacks via update mechanism?
OOo 2.4.X on Ms Windows XP + Linux
Re: EvilGrade Exploit tool kit attacks via update mechanism?
Hi and welcome David!
Yes, there is indeed a security threat.
However, we have to remember that the threat itself lies in the unpatched DNS servers. There are other attack scenarios apart from the one used by Evilgrade.
I admit, though, that this one is quite malicious.
Indeed Microsoft has mitigated this threat quite effectively by using digital signatures. This could certainly be implemented for OpenOffice as well.
You could file an issue in order to propose such a feature.
In the meantime, it could be a good idea to disable the automatic update function of OpenOffice (and of other software) and to download OpenOffice updates manually. The manually downloaded OpenOffice updates can be checked via md5sums.
Regards, phil
Yes, there is indeed a security threat.
However, we have to remember that the threat itself lies in the unpatched DNS servers. There are other attack scenarios apart from the one used by Evilgrade.
I admit, though, that this one is quite malicious.
Indeed Microsoft has mitigated this threat quite effectively by using digital signatures. This could certainly be implemented for OpenOffice as well.
You could file an issue in order to propose such a feature.
In the meantime, it could be a good idea to disable the automatic update function of OpenOffice (and of other software) and to download OpenOffice updates manually. The manually downloaded OpenOffice updates can be checked via md5sums.
Regards, phil
OOo 3.0.1 & DEV-3.1 • WinXP pro 32-bit + SP3 + current patches
Looking for OpenOffice-related information? Try the search engine on OpenOfficeNinja - a great tool!
My favorite extension: Alt. Find & Replace for Writer. All you need and much more...
OOo 2.4.X on Ms Windows XP
Looking for OpenOffice-related information? Try the search engine on OpenOfficeNinja - a great tool!
My favorite extension: Alt. Find & Replace for Writer. All you need and much more...
OOo 2.4.X on Ms Windows XP
Re: EvilGrade Exploit tool kit attacks via update mechanism?
An issue has been filed: Online update must verify package signatures
Re: EvilGrade Exploit tool kit attacks via update mechanism?
I don't understand how verifying a hash signature, or using a certificate, will prove anything. Remember, the only way this attack works is if the bad guys have already hijacked your DNS, in which case they can fake a reply for anything you request, including the hash signature or certificate.
The signature only proves that what you downloaded is the same data that was on the server you downloaded it from, unless you can get the signature from a known-trustworthy source, or at least from two different sources.
The signature only proves that what you downloaded is the same data that was on the server you downloaded it from, unless you can get the signature from a known-trustworthy source, or at least from two different sources.
AOO4/LO5 • Linux • Fedora 23
Re: EvilGrade Exploit tool kit attacks via update mechanism?
Yes, indeed there needs to be some concept to ensure this. See the discussion in Malte Timmermann's Blog.acknak wrote:The signature only proves that what you downloaded is the same data that was on the server you downloaded it from, unless you can get the signature from a known-trustworthy source, or at least from two different sources.
Regards, phil
OOo 3.0.1 & DEV-3.1 • WinXP pro 32-bit + SP3 + current patches
Looking for OpenOffice-related information? Try the search engine on OpenOfficeNinja - a great tool!
My favorite extension: Alt. Find & Replace for Writer. All you need and much more...
OOo 2.4.X on Ms Windows XP
Looking for OpenOffice-related information? Try the search engine on OpenOfficeNinja - a great tool!
My favorite extension: Alt. Find & Replace for Writer. All you need and much more...
OOo 2.4.X on Ms Windows XP