DEFCON: Danger from automatic updates
Security experts Itzik Kotler and Tomer Bitto have presented a new tool known as Ippon at hacker conference DEFCON. They plan to make the tool available as a download in the near future. Ippon compromises the automatic update mechanisms used by many different applications. It fools applications, such as Adobe Reader, Alcohol 120, Notepad++ and Skype into thinking that an update is available. In an attack scenario, rather than containing an update, the file passed to the relevant application contains a trojan or rootkit.
A similar tool, Evilgrade, was presented by two Argentinian programmers last year. Ippon, in contrast to Evilgrade, is coded in Python and is able to act as a wireless Rogue Access Point, drawing victims in by appearing to offer free internet access. In a non-wireless LAN, an attacker has to use ARP spoofing to play man-in-the-middle.
In order to be able to react to individual applications' update search queries appropriately, Ippon includes a small database that includes the web-addresses which the applications search for updates. If Ippon detects an attempt to access one of these addresses, it interrupts the connection and hijacks the communication with the application. The database takes the form of an XML file, so that Ippon users can add new applications as required.
Protection against this kind of attack can be achieved by using proper HTTPS encryption and offering digitally-signed updates – Firefox, for example, is not vulnerable to attack using Ippon for this reason. The experts were also unable to interfere with Microsoft's Windows Update system. Microsoft has apparently secured its update service using a range of protective measures and encryption procedures, so that it is reportedly not possible to inject a malicious update into Windows.