Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution)

[blake () HOMEPORT ORG (Scott Blake)]

As someone who works for a vendor that does distribute product updates
via email, I feel that I need to respond.  An exception the rule Marc
mentions should be non-executable, strongly signed updates.  Concerned
users can easily verify the signature manually (the software does so
automatically) to be certain of the file's provenance and integrity.
A key advantage to this approach is that the software can be fully
up-to-date without admins needing to spare cycles (or can be fully
manual, user's choice).  Furthermore, there is no need to make any
adjustments to firewalls -- the inbound mail is routed to your normal
mail server and the software retrieves it from there.  Oh, the
software I'm refering to is HackerShield.

That said, running executables received in email is never a good idea
(possibly excepting strongly signed files).

-scott

Btw, if anyone sees a flaw in our approach, I'd love to hear it.

------
Scott Blake
BindView's RAZOR Team
http://razor.bindview.com/

> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On
> Behalf Of Marc
> Sent: Tuesday, February 29, 2000 9:07 PM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Re: EZ Shopper 3.0 shopping cart CGI remote
> command execution
>
>
> Sent via eMail? Funny you mention that. One of the last
> clients we did a pen
> test on was hacked just the same way. Ya a nice spoofed
> eMail from Symantxx
> telling them to update PcAnywhexx.
>
> I guess the point I'm trying to make is that sending
> updates via eMail is
> not the brightest of ideas. An eMail with a link to a file,
> on the software
> vendors page, would be much better. Also no IT person
> should be running
> "software patches" that were eMailed to them because who
> knows what exactly
> is being "patched."
>
> I don't know if EZ Shopper 3.0 has their patch posted on
> the web so this is
> not necessarily directed straight at them but third party
> software vendors
> as a whole.
>
> Signed,
> Marc
> eEye Digital Security
> http://www.eEye.com
>
> "It is the years that blind you. Searching so hard for
> success you lose
> grasp on the basic wonders of being alive."
> -chameleon
>
>
> | -----Original Message-----
> | From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On
> Behalf Of Alex
> | Heiphetz
> | Sent: Monday, February 28, 2000 9:43 AM
> | To: BUGTRAQ () SECURITYFOCUS COM
> | Subject: Re: EZ Shopper 3.0 shopping cart CGI remote
> command execution
> |
> |
> | At 09:42 AM 2/27/00 +0000, suid () SUID KG wrote:
> | >suid () suid kg - EZ Shopper 3.0 remote command execution.
> |
> | <...>
> |
> | >Workaround:
> | >
> | >   The vendor, AHG Inc, has released a fixed version,
> download it from
> | >   their website and install the fixed version.
> |
> | Correction: clients are notified and patch is being sent
> via e-mail.
> | Help with installation offered.
> |
> | Regards,
> | AH
> |