Study Singles Out Security Slips in Software Sources
A study by researchers at the University of Arizona has revealed that taking over the world — or at least a whole lot of computers — may be easier than we think, using nothing but a server and a simple software repository.
The trick, which eschews directly delivering viruses or other malware onto a target system, exploits the manner in which software repositories handle package signatures, specifically, those for expired or otherwise obsoleted packages. According to the research team, which studied ten of the most popular package management systems — APT, APT-RPM, Pacman, Portage, Ports, Slaktool, Stork, Urpmi, Yast and YUM — all an attacker needs to do to gain control of an unlimited number of systems is to set up a mirror repository and configure it to provide only outdated versions of software packages. In doing so, the malicious mirror ensures that the systems that utilize it will load packages with known, and often widely documented, vulnerabilities, which can then be exploited. As proof-of-concept, the researchers set up their own renegade repo and managed to have it listed among the official mirrors for CentOS, Debian, Fedora, OpenSuse, and Ubuntu, and watched as thousands of unwitting users — the military and government offices among them — utilized the mirror without concern.