Update: The Evernote security has reported that this issue is resolved.
Evernote for Windows downloads its update information via HTTP, making it subject to man-in-the-middle attacks – further, this allows an attacker to specify an arbitrary file for the updater to download. The good news is that Evernote will not execute the file thanks to signature validation – but the file isn’t removed, so it’s available for later use.
As the file isn’t executed, it isn’t a critical issue.
The update.xml (and the related release notes HTML file) is served over HTTP, not HTTPS; this allows an attacker to control the content of the file. This allows an attacker to indicate that there is an update, and provide a malicious file that the user will download; as the attacker can also control the release notes, the attacker can use that to encourage the user to upgrade (i.e. indicate that it’s a required update).
Evernote will download the file and save it to the C:\Users\<user>\AppData\Local\Evernote\Evernote\AutoUpdate directory, assuming that the malicious binary isn’t signed, the user will be alerted that Evernote was “Unable to download the update” – but the file is left in the above directory.
If combined with another issue, it may allow an attacker to gain additional access. This could also be used to plant a file on a victim’s machine (illegal content, false evidence, etc.).
13:37:12 [36468] Command line: "C:\Program Files (x86)\Evernote\Evernote\Evernote.exe"
13:37:21 [33800] AutoUpdate: checking for update at: http://update.evernote.com/public/ENWin5/update.xml
13:37:21 [33800] Received status code 200 when accessing URL http://update.evernote.com/public/ENWin5/update.xml
13:37:21 [33800] AutoUpdate: located update with revision 999999 (local revision is 269614)
13:37:21 [33800] AutoUpdate: selected update with revision 999999
13:37:21 [33800] Received status code 200 when accessing URL http://update.evernote.com/public/ENWin5/relnotes.html
13:37:21 [33800] Evernote is installed PerMachine.
13:37:21 [33800] User is an administrator
13:37:24 [34508] Received status code 200 when accessing URL http://update.evernote.com/public/ENWin5/test.exe
13:37:24 [34508] The update file (C:\Users\<user>\AppData\Local\Evernote\Evernote\AutoUpdate\test.exe) has invalid signature (File has no signature)
13:37:25 [35944] Unable to download update: The data is invalid. (13).
ALERT: Julian Assange has requested political asylum and is under the protection of the Ecuadorian embassy in London http://t.co/bz4O9bjF — WikiLeaks (@wikileaks) June 19, 2012 The news that Julian Assange has asked Ecuador for political asylum is flooding twitter as his supporters do their best to attract attention to his cause, and rally everyone they can to contact Ecuador’s embassy in London to urge them to grant Assange’s request. While I’ve watched the Assange case since before the first allegations came out of Sweden – that’s not my interest here, my interest is in what Ecuador could do if they wanted to.
Huge PGP files, an ancient version of PGP, and errors every time they tried to decrypt a file – that was my completely unexpected challenge on Friday. Dealing with file processing issues really isn’t part of my job description, but I’m the closest thing my company has to an expert when it comes to encryption, so the task fell to me.
After looking at the options and issues to get the server upgraded to a non-stone-age version of the PGP software, the easiest answer looked like decrypting the files with GPG – it wasn’t as easy as expected, but I did get some useful information that may help others.
If you’ve bothered to look at Twitter or any technology news source, you’ve seen that Apple made a major announcement: Expanded Protections for Children. This has been written about by countless outlets, so I’ll assume you’re familiar with the basics.
The announcement covered a few new features being added to the next version of Apple’s operating systems, namely:
Scanning of inbound and outbound messages for sexually explicit images. Scanning images being uploaded to iCloud for CSAM.
It has been 20 years since I first used machine learning to solve a complex business problem. The underlying problem was simple: the company was selling a new service and wanted to know who was most likely to buy it. We had millions of records, and each record had hundreds of fields. A vast amount of data, but no idea how to extract insight from it. Countless hours from various data analysts had been invested into finding a pattern, but none was forthcoming.
Update: The VICIDIAL team has publicly released a new version that, according to them, has corrected the issues I’ve pointed out here. Please make sure you are using the latest version available. If you aren’t sure if your instance is safe, contact your friendly local penetration tester to verify it’s secure as you expect it to be.
Update: The SQL Injection vulnerability has been assigned CVE-2013-4467, and Command Injection assigned CVE-2013-4468.
