A few days ago, I installed the "yahoo pager" on my win95 machine. I configured it NOT to auto-run at windows startup, which is not the default option. Today, when I started the yahoo pager, it automatically downloaded executable files from http://pager.yahoo.com/pager/download/ (files ypager.ex_, d23-fw.dl_, myyahoo.dl_ and possibly others) and installed them without asking me. AFTER the upgrade, a message "Application successfully upgraded!" was displayed. If i´m not mistaken, it should be easy for an attacker to use (e.g.) dns-poisoning to redirect "pager.yahoo.com" to his own webserver, offer his own version of ypager.ex_ with a very high version number, and just wait for the victim to start up the yahoo pager (default option: autostart with windows startup) , auto-download and auto-execute whatever he wants to (trojan horses, network sniffers, viruses, etc.). If the functionality of the original yahoo pager was preserved, the victim wouldn´t even notice he was under attack. Am I right or am I paranoid? What security measures would possibly stop such an attacker? btw: The yahoo pager is only one example: Many software vendors offer online upgrades. It just sounds like a bad idea to me to allow this update without asking the user, and without any authentification. Ralf
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:22 PDT