Firesheep is firesheep because it's easy enough for random college freshmen to use. This is a commandline tool so it is no Firesheep.

Are the latest versions of Skype, VMWare, and others listed there at risk of software-update hijacking, with no cryptographic verification of update payloads?

VMWare is in the compatibility list, so that's a yes there.

I see it on the EvilGrade page; I'm asking here for independent confirmation.

Yeah, Virtual Infrastructure and VSphere clients download updates over HTTP from a URL that looks like: http://www.vmware.com/vmware<%RND1%>.exe

Seems like something metasploit would do. If you're a budding security nut and you haven't tried some 'sploitin, you should definitely give it a go.

true that. But AFAIK metasploit doesn't have exactly this kind of functionality. It would be nice if someone would port it though...

Here's the list of supported apps:

* Freerip 3.30

* Jet photo 4.7.2

* Teamviewer 5.1.9385

* ISOpen 4.5.0

* Istat

* Gom 2.1.25.5015

* Atube catcher 1.0.300

* Vidbox 7.5

* Ccleaner 2.30.1130

* Fcleaner 1.2.9.409

* Allmynotes 1.26

* Notepad++ 5.8.2

* Java 1.6.0_22 winxp/win7

* aMSN 0.98.3

* Appleupdate <= 2.1.1.116 ( Safari 5.0.2 7533.18.5, <= Itunes 10.0.1.22, <= Quicktime 7.6.8 1675)

* Mirc 7.14

* Windows update (ie6 lastversion, ie7 7.0.5730.13, ie8 8.0.60001.18702, Microsoft works)

* Dap 9.5.0.3

* Winscp 4.2.9

* AutoIt Script 3.3.6.1

* Clamwin 0.96.0.1

* AppTapp Installer 3.11 (Iphone/Itunes)

* getjar (facebook.com)

* Google Analytics Javascript injection

* Speedbit Optimizer 3.0 / Video Acceleration 2.2.1.8

* Winamp 5.581

* TechTracker (cnet) 1.3.1 (Build 55)

* Nokiasoftware firmware update 2.4.8es * (Windows software)

* Nokia firmware v20.2.011

* BSplayer 2.53.1034

* Apt ( < Ubuntu 10.04 LTS)

* Ubertwitter 4.6 (0.971)

* Blackberry Facebook 1.7.0.22 | Twitter 1.0.0.45

* Cpan 1.9402

* VirtualBox (3.2.8 )

* Express talk

* Filezilla

* Flashget

* Miranda

* Orbit

* Photoscape

* Panda Antirootkit

* Skype.

* Sunbelt

* Superantispyware

* Trillian <= 5.0.0.26

* Adium 1.3.10 (Sparkle Framework)

* VMware

* more...

Firesheep only requires that you sniff unencrypted traffic but this requires that you make DNS requests resolve to an address of your choice. The latter is much harder to do. You either need to control the wireless router or break the DNS server some way.

True but not that much - it wouldn't be difficult to inject a reply on an unencrypted wireless network, you just have to sniff the trafic and then reply faster than the wireless network and then blast the reply out with a higher signal.

Since everything is cached locally for your, replying faster shouldn't be an issue, and you can sit closer to your intented victim than the wireless router, which should give you a better signal.

There are tools to simplify this by Arp Spoofing. http://en.wikipedia.org/wiki/ARP_spoofing

Other methods that are mentioned:

Internal network access:

- Internal DNS access

- ARP spoofing

- DNS Cache Poisoning

- DHCP spoofing

- TCP hijacking

- Wi-Fi Access Point impersonation

External network access:

- Internal DNS access

- DNS Cache Poisoning

It says it supports Adium (Sparkle) updates, but Adium definitely uses digital signatures, see /Applications/Adium.app/Contents/Resources/dsa_pub.pem . So...is there something I'm missing? Has anybody tested this?

Adium definitely gets its update list over HTTP, so maybe it just prompts the user if the signatures don't match and lets them install anyway?

The relevant module in evilgrade is sparkle.pm if you want to check it out.

Can anyone outline how a software package would protect against this?

Public-key cryptography. The update server could send a signature along with the update package and the software would check the update contents to make sure the signature matches.

Yes, debian and ubuntu do this using OpenPGP. I'm sure other distros use something similar. Yet another reason to stick with free software.

You saw APT in the supported list right? :-P

That only means that it will work if the user ignores stern warnings telling them the software is untrusted.

Use SSL for the connection to the update server.

A secondary method for authenticating updates would also be wise. When Moxie Marlinspike's null-prefix SSL bug landed, people with vulnerable versions of Firefox were somewhat screwed: Firefox used only SSL to ensure the authenticity and integrity of updates, but SSL was broken, so the update fixing SSL security couldn't be authenticated!

Most of the attack vectors for software updates depend on man in the middle (via DNS spoofing), so this would not help right?

I you don't get it I recommend watching the screencast http://www.infobytesec.com/demo/evilgrade.htm

What's "Internal DNS access"? Host file access?