Everything update suspected of being hijacked

[void]

Issue:

A man in the middle attack is causing Everything to report a newer version and possibly download malware.


The issue appears to only occur on hijacked networks.
(in China from what I am hearing)

http://www.voidtools.com/everything/update.ini The minor version number in this address is 6 (the test return is 4 on Tencent Cloud VPS) and the server field is Server: Microsoft- IIS/5.0

https://v2ex.com/t/878475



Cause:

Everything is using a insecure connection for checking the latest available version.
I am working on a fix.

Everything 1.4.1.1019 and earlier is using an insecure http connection to open the download page.
Everything 1.4.1.1020 or later will use a https connection to open the download page.
Everything-1.4.1.1021 fixes a security issue with using an insecure HTTP connection to check for new versions.


Solution:

Upgrade to Everything 1.4.1.1021 or later.



-or-



Please make sure Check for updates on startup is disabled:

• In Everything, from the Tools menu, click Options.
• Click the General tab on the left.
• Uncheck Check for updates on startup (unchecked by default)
• Click OK.

Please only download updates from:
https://www.voidtools.com/downloads
Everything 1.4.1.1020 or later will use a https connection to open the download page.
Everything 1.4.1.1021 or later will use a https connection to check for updates.

Avoid downloading updates on hijacked networks from:
http://www.voidtools.com/downloads

[NotNull]

Also: always check the UAC (User Account Control) prompt "Do you want to allow this app to make changes to this device" when installing:

• When it is a signed program ("Verified Publisher: David Carpenter" or "Verified Publisher: voidtools" in this case), it will have a blue background.
• If it is unsigned, it will have an orange background and the text "Publisher unknown".

If the Everything program/installer is unsigned (orange background; unknown publisher), it is unsafe to install.

[therube]

(translated) Thread on v2ex.com, https://v2ex-com.translate.goog/t/87847 ... r_hl=en-US.

Note the translate only looks to be effective if you do not allow JavaScript on v2ex.com.
(JS does need to be allowed for the google domains.)


(NoScript, or I suppose (?) uBlock Origin, can handle that.)

[therube]

Is 1.5 alpha affected?
Heh, does 1.5 alpha even have an update service?

[therube]

Just some jabber (from the Mozilla end):

A Remote Vulnerability in Firefox Extensions
Extension Manager:Addon Update Security

[tuska]

Is 1.5 alpha affected?

 No. 
EDIT:
Sorry, I was wrong - please see here.

Everything 1.4.1.1020
... fixed a security issue with using an insecure http connection to open the download page.

Everything update service suspected of being hijacked
Upgrade to Everything 1.4.1.1020 or later.
"later" means for me e.g. Everything 1.5 Alpha.
_____________________________________________________________________________________________________________________________

Heh, does 1.5 alpha even have an update service?

Yes.

Everything.ini

Code: Select all

check_for_updates_on_startup=1	; Tools > Options... > General: [✓] Check for updates on startup

beta_updates=1			; https://www.voidtools.com/forum/viewtopic.php?p=44842#p44842 - 1.5.0.1307a - 8.4.2022
				; The Everything 1.5 alpha will now check for updates from the alpha update channel.
				;
				; https://www.voidtools.com/support/everything/ini/#beta_updates
				;
				; https://www.voidtools.com/forum/viewtopic.php?p=21389#p21389 ...
				; *** To enable the beta updates: ***
				; In Everything, type in the following search and press ENTER:
				; /beta_updates=1

[tuska]

2void
Please change to https.
 

2022-09-08_http_https.png (19.56 KiB) Viewed 13946 times

 
Thanks!

[therube]

(That shouldn't matter. IMO.
Fine to do.
Is needed for login. And now for automatic updates.
But for the board itself...)

[void]

Is 1.5 alpha affected?

Everything 1.5 is still using an insecure http connection to check for updates.
Everything 1.5 will check for the latest version from:
http://www.voidtools.com/Everything-1.5a-update.ini

Everything 1.5 may use an insecure http connection to open the downloads page if you are using an old language pack.

Please download the latest language pack and update your Everything.lng.

The en-US 1.5a version will always open the secure download page:
https://www.voidtools.com/downloads


The next alpha update will check for updates over a secure https connection.
I hope to have this fix available today.

I'll merge this into 1.4 once tested.

[void]

Everything 1.5.0.1318a will now check the latest available version with HTTPS.
Everything 1.5.0.1318a will now always open the download page with HTTPS.

If there's no major issues here, I'll merge this update into 1.4.

[tuska]

2void
Please change to https.
2022-09-08_http_https.png

Thanks for the prompt change in Everything 1.5.0.1318a.

___________________________________
(Sorry for my wrong statement yesterday.
I immediately edited the post yesterday and referred to your statement).

[void]

Everything-1.4.1.1021 fixes a security issue with using an insecure HTTP connection to check for new versions.

[Thy Grand Voidinesss]

[...]
Please make sure Check for updates on startup is disabled:
[...]

Interesting anti-malware security measure

They always tell you that you should be up-to-date with the programs you use, as they will have the newly discovered security holes fixed. But what they never tell you is that when the update feature on their side becomes compromised, so will your program

But what do I know? My Windows 10 is 20H2 and it cannot be updated because of some glitch!

[raccoon]

Please don't quote old advice at the bottom of the thread, or people may believe it's the most current advice.

He was talking about what to do for the next 24 hours before he had a patch available.