Bugtraq mailing list archives
Re: Yahoo Pager auto-update
From: serge () YAHOO-INC COM (Sergiy Zhuk)
Date: Wed, 5 Aug 1998 16:51:25 -0700
hi On Wed, 5 Aug 1998, Ralf Rudolph wrote:
Today, when I started the yahoo pager, it automatically downloaded executable files from http://pager.yahoo.com/pager/download/ (files ypager.ex_, d23-fw.dl_, myyahoo.dl_ and possibly others) and installed them without asking me. AFTER the upgrade, a message "Application successfully upgraded!" was displayed.
well, according to our engineers, Yahoo Pager doesn't update its binaries automatically, you'll be asked to confirm the update. But the updater itself *will* be updated automatically w/o your confirmation which is not a Good Thing. They are aware of it and they're trying to fix it. Simple user confirmation doesn't protect your files anyway. One should probably check the integrity of files or/and sign them somehow.
btw: The yahoo pager is only one example: Many software vendors offer online upgrades. It just sounds like a bad idea to me to allow this
yes, Symantec, for example... rgds, serge -- +-------------------------------------+-------------------------------------+ | Sergiy Zhuk | serge () yahoo-inc com | | Technical Yahoo | +1-408-731-3546 | | Yahoo!, Inc | http://www.yahoo.com/ | +-------------------------------------+-------------------------------------+
Current thread:
- Yahoo Pager auto-update Ralf Rudolph (Aug 05)
- Re: Yahoo Pager auto-update Sergiy Zhuk (Aug 05)
- Re: Yahoo Pager auto-update Chris Wedgwood (Aug 06)
- <Possible follow-ups>
- Re: Yahoo Pager auto-update Texan Hawk (Aug 10)
- Source Back Orifice Unix client released Patrick Oonk (Aug 10)
- Re: Yahoo Pager auto-update Sergiy Zhuk (Aug 10)
- Re: Debian Apache Security Update Dag-Erling Coidan Smørgrav (Aug 10)
- Re: Yahoo Pager auto-update Jay (Aug 10)
- Re: Yahoo Pager auto-update Aleph One (Aug 10)
- Re: Yahoo Pager auto-update Sergiy Zhuk (Aug 05)