EvilGrade Exploit tool kit attacks via update mechanism?

[DavidBassPlayer]

This is a very brief summary from this web site

http://blogs.pcmag.com/securitywatch/20 ... t_atta.php

The article says the EvilGrade Exploit tool kit claims to be able to attack systems using the "man in the middle", attacking through the "update" mechanism. The attacker mentions OO.o in the kit "ReadMe". The authors of the Exploit kit committed spelling errors, calling OO.o OpenOffices, but this does not comfort me at all.

Open Office can go to the OO.o web site and download new OO.o installation packages, and this appears to be the mechanism this kit can exploit.

It appears MS has protected its customers to some extent because MS only installs updates and installation files that they have digitally signed. Is it possible to get OO.o installers that are digitally signed?

I think I saw that checksums are available for the installation files, but I also hear that the MD5SUM can be forged. Of course check sums primarily are concerned with transmission errors, and digital signing with certifying authorship.

I'd like to hear from informed individuals on the issue of how much danger there is from this and similar malware kits.

David Teague

[Phil]

Hi and welcome David!

Yes, there is indeed a security threat.

However, we have to remember that the threat itself lies in the unpatched DNS servers. There are other attack scenarios apart from the one used by Evilgrade.
I admit, though, that this one is quite malicious.

Indeed Microsoft has mitigated this threat quite effectively by using digital signatures. This could certainly be implemented for OpenOffice as well.
You could file an issue in order to propose such a feature.

In the meantime, it could be a good idea to disable the automatic update function of OpenOffice (and of other software) and to download OpenOffice updates manually. The manually downloaded OpenOffice updates can be checked via md5sums.

Regards, phil

[Bill]

An issue has been filed: Online update must verify package signatures

[acknak]

I don't understand how verifying a hash signature, or using a certificate, will prove anything. Remember, the only way this attack works is if the bad guys have already hijacked your DNS, in which case they can fake a reply for anything you request, including the hash signature or certificate.

The signature only proves that what you downloaded is the same data that was on the server you downloaded it from, unless you can get the signature from a known-trustworthy source, or at least from two different sources.

[Phil]

The signature only proves that what you downloaded is the same data that was on the server you downloaded it from, unless you can get the signature from a known-trustworthy source, or at least from two different sources.

Yes, indeed there needs to be some concept to ensure this. See the discussion in Malte Timmermann's Blog.

Regards, phil