As someone who works for a vendor that does distribute product updates via email, I feel that I need to respond. An exception the rule Marc mentions should be non-executable, strongly signed updates. Concerned users can easily verify the signature manually (the software does so automatically) to be certain of the file's provenance and integrity. A key advantage to this approach is that the software can be fully up-to-date without admins needing to spare cycles (or can be fully manual, user's choice). Furthermore, there is no need to make any adjustments to firewalls -- the inbound mail is routed to your normal mail server and the software retrieves it from there. Oh, the software I'm refering to is HackerShield. That said, running executables received in email is never a good idea (possibly excepting strongly signed files). -scott Btw, if anyone sees a flaw in our approach, I'd love to hear it. ------ Scott Blake BindView's RAZOR Team http://razor.bindview.com/ > -----Original Message----- > From: Bugtraq List [mailto:[EMAIL PROTECTED]]On > Behalf Of Marc > Sent: Tuesday, February 29, 2000 9:07 PM > To: [EMAIL PROTECTED] > Subject: Re: EZ Shopper 3.0 shopping cart CGI remote > command execution > > > Sent via eMail? Funny you mention that. One of the last > clients we did a pen > test on was hacked just the same way. Ya a nice spoofed > eMail from Symantxx > telling them to update PcAnywhexx. > > I guess the point I'm trying to make is that sending > updates via eMail is > not the brightest of ideas. An eMail with a link to a file, > on the software > vendors page, would be much better. Also no IT person > should be running > "software patches" that were eMailed to them because who > knows what exactly > is being "patched." > > I don't know if EZ Shopper 3.0 has their patch posted on > the web so this is > not necessarily directed straight at them but third party > software vendors > as a whole. > > Signed, > Marc > eEye Digital Security > http://www.eEye.com > > "It is the years that blind you. Searching so hard for > success you lose > grasp on the basic wonders of being alive." > -chameleon > > > | -----Original Message----- > | From: Bugtraq List [mailto:[EMAIL PROTECTED]]On > Behalf Of Alex > | Heiphetz > | Sent: Monday, February 28, 2000 9:43 AM > | To: [EMAIL PROTECTED] > | Subject: Re: EZ Shopper 3.0 shopping cart CGI remote > command execution > | > | > | At 09:42 AM 2/27/00 +0000, [EMAIL PROTECTED] wrote: > | >[EMAIL PROTECTED] - EZ Shopper 3.0 remote command execution. > | > | <...> > | > | >Workaround: > | > > | > The vendor, AHG Inc, has released a fixed version, > download it from > | > their website and install the fixed version. > | > | Correction: clients are notified and patch is being sent > via e-mail. > | Help with installation offered. > | > | Regards, > | AH > | >
