Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution)

Distributing Patches in Email (was: RE: EZ Shopper 3.0 shopping cart CGI remote command execution)

From: Scott Blake <blake_at_HOMEPORT.ORG>
Date: Wed, 1 Mar 2000 20:37:19 -0500

As someone who works for a vendor that does distribute product updates
via email, I feel that I need to respond. An exception the rule Marc
mentions should be non-executable, strongly signed updates. Concerned
users can easily verify the signature manually (the software does so
automatically) to be certain of the file's provenance and integrity.
A key advantage to this approach is that the software can be fully
up-to-date without admins needing to spare cycles (or can be fully
manual, user's choice). Furthermore, there is no need to make any
adjustments to firewalls -- the inbound mail is routed to your normal
mail server and the software retrieves it from there. Oh, the
software I'm refering to is HackerShield.

That said, running executables received in email is never a good idea
(possibly excepting strongly signed files).

-scott

Btw, if anyone sees a flaw in our approach, I'd love to hear it.

------
Scott Blake
BindView's RAZOR Team
http://razor.bindview.com/

> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ_at_SECURITYFOCUS.COM]On
> Behalf Of Marc
> Sent: Tuesday, February 29, 2000 9:07 PM
> To: BUGTRAQ_at_SECURITYFOCUS.COM
> Subject: Re: EZ Shopper 3.0 shopping cart CGI remote
> command execution
>
>
> Sent via eMail? Funny you mention that. One of the last
> clients we did a pen
> test on was hacked just the same way. Ya a nice spoofed
> eMail from Symantxx
> telling them to update PcAnywhexx.
>
> I guess the point I'm trying to make is that sending
> updates via eMail is
> not the brightest of ideas. An eMail with a link to a file,
> on the software
> vendors page, would be much better. Also no IT person
> should be running
> "software patches" that were eMailed to them because who
> knows what exactly
> is being "patched."
>
> I don't know if EZ Shopper 3.0 has their patch posted on
> the web so this is
> not necessarily directed straight at them but third party
> software vendors
> as a whole.
>
> Signed,
> Marc
> eEye Digital Security
> http://www.eEye.com
>
> "It is the years that blind you. Searching so hard for
> success you lose
> grasp on the basic wonders of being alive."
> -chameleon
>
>
> | -----Original Message-----
> | From: Bugtraq List [mailto:BUGTRAQ_at_SECURITYFOCUS.COM]On
> Behalf Of Alex
> | Heiphetz
> | Sent: Monday, February 28, 2000 9:43 AM
> | To: BUGTRAQ_at_SECURITYFOCUS.COM
> | Subject: Re: EZ Shopper 3.0 shopping cart CGI remote
> command execution
> |
> |
> | At 09:42 AM 2/27/00 +0000, suid_at_SUID.KG wrote:
> | >suid_at_suid.kg - EZ Shopper 3.0 remote command execution.
> |
> | <...>
> |
> | >Workaround:
> | >
> | > The vendor, AHG Inc, has released a fixed version,
> download it from
> | > their website and install the fixed version.
> |
> | Correction: clients are notified and patch is being sent
> via e-mail.
> | Help with installation offered.
> |
> | Regards,
> | AH
> |
>
Received on Mar 02 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos