Today's Fail Open Goat Award goes to: Insecure 3rd party software updaters

You'll notice Microsoft's auto-updaters (Windows Update / Microsoft Update / Automatic Updates) are not on the list.  Why?  Because we're paranoid, and we anticipated this type of threat years ago and mitigated it by signing all of our binaries and only allowing our updater to install binaries signed by us.  I guess other vendors didn't get the memo. :)

Excerpt:

'....A security research outfit in Argentina has released a malcode distribution toolkit capable of launching man-in-the-middle attacks against popular products that use insecure update mechanisms.

The first version of the toolkit ships with exploit modules for several widely deployed software, including Apple’s Mac OS X and iTunes, WinZip, Winamp, OpenOffice and Sun Java.

A demo video provides a scary look at how a sophisticated blended attack can be used to target millions of Windows users.

In the video, Evilgrade uses HD Moore’s recent DNS exploit in tandem with Sun’s Java update mechanims to execute code and hijack a fully patched Windows machine......'

To read the complete article see:
https://blogs.zdnet.com/security/?p=1576
https://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt