Lovely. Okay developers, time to get moving — add public-key code-signing stuff, so that your programs can tell whether they’re getting a legitimate update or not. Don’t know how, and don’t have time to learn? Try the GnuPG Made Easy (GPGME) library.
I’m happy to say that Ubuntu Linux isn’t affected by this, because it already utilizes code signing for all of its updates. I’m not sure whether Windows does as well, but if it didn’t, I suspect it would be the first thing in the title’s list.
OS X Leopard has code-signing features. Trust Apple to have a security feature but not use it, assuming this is a Leopard exploit and not just Tiger and earlier. Of course, one’s susceptibility is much reduced if one uses OpenDNS – the man in the middle attack usually relies on cache poisoning. Speaking of which, APPLE? PATCH BIND ON OS X! (Assuming anyone uses OS X as a DNS server… 🙂 )
As the article says, DNS cache poisoning is only the latest way to set up the man-in-the-middle attack. I know of at least a couple others, and I just watch this stuff out of curiosity — you can bet that anyone actually doing something with it knows a lot more.
Yeah, I also note Open Office is in the list – so try to apply updates only from the website I guess, and hope it too hasn’t been forged.
What is really bad about this is that I’d been trying to encourage a friend who’s system keeps getting infected to pay attention to update messages and not worry if they are going to “mess up his computer”, now I have to worry about this and am not sure if I feel confident in telling him that the benefits outweigh the risks. (Forget about getting him to update manually – like most computer users he prefers to take the path of least resistance, a bad course to take if you use Windows.)
If he’s running Windows, he’s probably safe — as mentioned above, Microsoft is almost certain to be using code-signing already.
Not for plug-ins and other updates. I wasn’t thinking of Windows Update.
Ah. Yes, other programs are still vulnerable, until their authors provide secure (signed) updates.