Everything update suspected of being hijacked

General discussion related to "Everything".
Post Reply
void
Developer
Posts: 15565
Joined: Fri Oct 16, 2009 11:31 pm

Everything update suspected of being hijacked

Post by void »

Issue:

A man in the middle attack is causing Everything to report a newer version and possibly download malware.


The issue appears to only occur on hijacked networks.
(in China from what I am hearing)
http://www.voidtools.com/everything/update.ini The minor version number in this address is 6 (the test return is 4 on Tencent Cloud VPS) and the server field is Server: Microsoft- IIS/5.0
https://v2ex.com/t/878475



Cause:

Everything is using a insecure connection for checking the latest available version.
I am working on a fix.

Everything 1.4.1.1019 and earlier is using an insecure http connection to open the download page.
Everything 1.4.1.1020 or later will use a https connection to open the download page.
Everything-1.4.1.1021 fixes a security issue with using an insecure HTTP connection to check for new versions.


Solution:

Upgrade to Everything 1.4.1.1021 or later.



-or-



Please make sure Check for updates on startup is disabled:
  • In Everything, from the Tools menu, click Options.
  • Click the General tab on the left.
  • Uncheck Check for updates on startup (unchecked by default)
  • Click OK.


Please only download updates from:
https://www.voidtools.com/downloads
Everything 1.4.1.1020 or later will use a https connection to open the download page.
Everything 1.4.1.1021 or later will use a https connection to check for updates.

Avoid downloading updates on hijacked networks from:
http://www.voidtools.com/downloads
NotNull
Posts: 5307
Joined: Wed May 24, 2017 9:22 pm

Re: Everything update service suspected of being hijacked

Post by NotNull »

Also: always check the UAC (User Account Control) prompt "Do you want to allow this app to make changes to this device" when installing:
  • When it is a signed program ("Verified Publisher: David Carpenter" or "Verified Publisher: voidtools" in this case), it will have a blue background.
  • If it is unsigned, it will have an orange background and the text "Publisher unknown".

If the Everything program/installer is unsigned (orange background; unknown publisher), it is unsafe to install.
therube
Posts: 4655
Joined: Thu Sep 03, 2009 6:48 pm

Re: Everything update service suspected of being hijacked

Post by therube »

(translated) Thread on v2ex.com, https://v2ex-com.translate.goog/t/87847 ... r_hl=en-US.

Note the translate only looks to be effective if you do not allow JavaScript on v2ex.com.
(JS does need to be allowed for the google domains.)


(NoScript, or I suppose (?) uBlock Origin, can handle that.)
therube
Posts: 4655
Joined: Thu Sep 03, 2009 6:48 pm

Re: Everything update service suspected of being hijacked

Post by therube »

Is 1.5 alpha affected?
Heh, does 1.5 alpha even have an update service?
tuska
Posts: 942
Joined: Thu Jul 13, 2017 9:14 am

Re: Everything update service suspected of being hijacked

Post by tuska »

therube wrote: Thu Sep 08, 2022 3:03 pm Is 1.5 alpha affected?
 No. 
EDIT:
Sorry, I was wrong - please see here.

Everything 1.4.1.1020
... fixed a security issue with using an insecure http connection to open the download page.

Everything update service suspected of being hijacked
Upgrade to Everything 1.4.1.1020 or later.
"later" means for me e.g. Everything 1.5 Alpha.
_____________________________________________________________________________________________________________________________
therube wrote: Thu Sep 08, 2022 3:03 pm Heh, does 1.5 alpha even have an update service?
Yes.

Everything.ini

Code: Select all

check_for_updates_on_startup=1	; Tools > Options... > General: [✓] Check for updates on startup

beta_updates=1			; https://www.voidtools.com/forum/viewtopic.php?p=44842#p44842 - 1.5.0.1307a - 8.4.2022
				; The Everything 1.5 alpha will now check for updates from the alpha update channel.
				;
				; https://www.voidtools.com/support/everything/ini/#beta_updates
				;
				; https://www.voidtools.com/forum/viewtopic.php?p=21389#p21389 ...
				; *** To enable the beta updates: ***
				; In Everything, type in the following search and press ENTER:
				; /beta_updates=1
Last edited by tuska on Thu Sep 08, 2022 11:52 pm, edited 1 time in total.
tuska
Posts: 942
Joined: Thu Jul 13, 2017 9:14 am

Re: Everything update service suspected of being hijacked

Post by tuska »

2void
Please change to https.
 
2022-09-08_http_https.png
2022-09-08_http_https.png (19.56 KiB) Viewed 14140 times
 
Thanks!
therube
Posts: 4655
Joined: Thu Sep 03, 2009 6:48 pm

Re: Everything update service suspected of being hijacked

Post by therube »

(That shouldn't matter. IMO.
Fine to do.
Is needed for login. And now for automatic updates.
But for the board itself...)
void
Developer
Posts: 15565
Joined: Fri Oct 16, 2009 11:31 pm

Re: Everything update service suspected of being hijacked

Post by void »

Is 1.5 alpha affected?
Everything 1.5 is still using an insecure http connection to check for updates.
Everything 1.5 will check for the latest version from:
http://www.voidtools.com/Everything-1.5a-update.ini

Everything 1.5 may use an insecure http connection to open the downloads page if you are using an old language pack.

Please download the latest language pack and update your Everything.lng.

The en-US 1.5a version will always open the secure download page:
https://www.voidtools.com/downloads


The next alpha update will check for updates over a secure https connection.
I hope to have this fix available today.

I'll merge this into 1.4 once tested.
void
Developer
Posts: 15565
Joined: Fri Oct 16, 2009 11:31 pm

Re: Everything update suspected of being hijacked

Post by void »

Everything 1.5.0.1318a will now check the latest available version with HTTPS.
Everything 1.5.0.1318a will now always open the download page with HTTPS.

If there's no major issues here, I'll merge this update into 1.4.
tuska
Posts: 942
Joined: Thu Jul 13, 2017 9:14 am

Re: Everything update service suspected of being hijacked

Post by tuska »

tuska wrote: Thu Sep 08, 2022 7:06 pm 2void
Please change to https.
2022-09-08_http_https.png
Thanks for the prompt change in Everything 1.5.0.1318a. :)

___________________________________
(Sorry for my wrong statement yesterday. :?
I immediately edited the post yesterday and referred to your statement).
void
Developer
Posts: 15565
Joined: Fri Oct 16, 2009 11:31 pm

Re: Everything update suspected of being hijacked

Post by void »

Everything-1.4.1.1021 fixes a security issue with using an insecure HTTP connection to check for new versions.
Thy Grand Voidinesss
Posts: 656
Joined: Wed Jun 01, 2022 5:01 pm

Re: Everything update suspected of being hijacked

Post by Thy Grand Voidinesss »

void wrote: Thu Sep 08, 2022 12:28 am [...]
Please make sure Check for updates on startup is disabled:
[...]
Interesting anti-malware security measure

They always tell you that you should be up-to-date with the programs you use, as they will have the newly discovered security holes fixed. But what they never tell you is that when the update feature on their side becomes compromised, so will your program

But what do I know? My Windows 10 is 20H2 and it cannot be updated because of some glitch!
raccoon
Posts: 1017
Joined: Thu Oct 18, 2018 1:24 am

Re: Everything update suspected of being hijacked

Post by raccoon »

Please don't quote old advice at the bottom of the thread, or people may believe it's the most current advice.

He was talking about what to do for the next 24 hours before he had a patch available.
Post Reply