Bugtraq mailing list archives
Yahoo Pager auto-update
From: rrudolph () ARTIFEX DE (Ralf Rudolph)
Date: Wed, 5 Aug 1998 13:52:43 +0200
A few days ago, I installed the "yahoo pager" on my win95 machine. I configured it NOT to auto-run at windows startup, which is not the default option. Today, when I started the yahoo pager, it automatically downloaded executable files from http://pager.yahoo.com/pager/download/ (files ypager.ex_, d23-fw.dl_, myyahoo.dl_ and possibly others) and installed them without asking me. AFTER the upgrade, a message "Application successfully upgraded!" was displayed. If i´m not mistaken, it should be easy for an attacker to use (e.g.) dns-poisoning to redirect "pager.yahoo.com" to his own webserver, offer his own version of ypager.ex_ with a very high version number, and just wait for the victim to start up the yahoo pager (default option: autostart with windows startup) , auto-download and auto-execute whatever he wants to (trojan horses, network sniffers, viruses, etc.). If the functionality of the original yahoo pager was preserved, the victim wouldn´t even notice he was under attack. Am I right or am I paranoid? What security measures would possibly stop such an attacker? btw: The yahoo pager is only one example: Many software vendors offer online upgrades. It just sounds like a bad idea to me to allow this update without asking the user, and without any authentification. Ralf
Current thread:
- Yahoo Pager auto-update Ralf Rudolph (Aug 05)
- Re: Yahoo Pager auto-update Sergiy Zhuk (Aug 05)
- Re: Yahoo Pager auto-update Chris Wedgwood (Aug 06)
- <Possible follow-ups>
- Re: Yahoo Pager auto-update Texan Hawk (Aug 10)
- Source Back Orifice Unix client released Patrick Oonk (Aug 10)
- Re: Yahoo Pager auto-update Sergiy Zhuk (Aug 10)
- Re: Debian Apache Security Update Dag-Erling Coidan Smørgrav (Aug 10)
- Re: Yahoo Pager auto-update Jay (Aug 10)
- Re: Yahoo Pager auto-update Aleph One (Aug 10)
- Re: Yahoo Pager auto-update Sergiy Zhuk (Aug 05)