Background

Whenever a software designer builds a program intended to update itself -- by downloading and running updates it retrieves over the web -- the designer must consider the possibility of an attacker intercepting the update transmission. In particular, an attacker could send some bogus "update" that in fact causes the user's computer to perform operations not desired by the user and not intended by the designer of the initial software. This sort of vulnerability is well-known among those who design self-updating software. See e.g. Symantec's statement of the problem and what Symantec did in October 2001 to address the problem.

Software provided by WhenU includes an auto-update feature, which is sometimes run when WhenU is installed and periodically thereafter. Unfortunately for WhenU and for its users, the auto-updater in some WhenU software includes no protections against auto-updater attacks. In such software, WhenU simply downloads an EXE file from a well-known location on a web server, then executes that file, without verifying the authenticity of the file. To take advantage of this vulnerability, an attacker needs to be able to perform one of the following actions: 1) hijack the download TCP connection, 2) spoof the whenu.com DNS response, 3) poison a DNS cache, 4) poison a HTTP cache, or 5) configure a victim's machine to use an HTTP proxy controlled by the attacker.

This vulnerability allows attackers to cause the victim to download and install a program of the attacker's choosing. As a result of the attack, the attacker gets full control over the user's computer. For example, the attacker can send the user's personal data or behavior to any server on the Internet; can add, modify, or delete files; can install other programs (including other spyware programs); or can use the computer to send junk email or cause a denial of service attack.

In particular, I have found this vulnerability in the WhenU WeatherCast software available from WhenU's Products page through May 14, 2004. After I brought this problem to the attention of WhenU staff, they assured me that they corrected the problem -- removing the vulnerable software from WhenU's site, and using the auto-update system to patch the PCs of affected users. With these assurances, I now release the specifics of my findings to the the public, consistent with the CERT Vulnerability Disclosure Policy.

Specific Findings

To demonstrate the security hole in WhenU software, I downloaded a copy of WhenU WeatherCast from the Products page of WhenU's ordinary public web site, and I installed this program onto a fresh "client" PC. On this PC, the only modification from default settings was a single entry in the PC's HOSTS file, causing requests for akdwl.whenu.com (the Akamai web server that hosts WhenU's update EXEs) to be routed to a web server I control, at a designated address on my local network. (Modifying my HOSTS file is analagous to the attack methods described above: The result of all the attacks described above is that the attacker can answer client PC requests for HTTP content on WhenU's web server. Modifying my HOSTS file achieves precisely this result.)

Separately, I placed an "attack" .exe program on another computer which served as my "attacker" web server. I called the file /saveupdate.exe because this is the relative URL requested by WhenU's auto-updater. I used VB to make a one-line program that performs only a single function -- showing a popup message box indicating that the program has been run. This simple program was sufficient for my demonstration, but a true attacker would use a more complex program to take arbitrary activities of the sort described above.

With my program in place on the attacker web server, I then installed WhenU on the client PC. As WhenU ran its auto-updater immediately subsequent to installation, I received the popup message from my attack program -- indicating that WhenU had downloaded my attack program from the attacker web server, and had run that program on the client PC. Had my program been designed to perform some destructive function, e.g. transmitting or deleting a user's files, it could have done so at that time. Alternatively, my program could have installed other software to perform these or other functions at a later time.

I captured this demonstration in a WindowsMedia file (WMV format). For best viewing, play it full-screen in the Windows Media Player client software. (If prompted by Internet Explorer to view the video in your browser, I recommend declining, as this will cause the video to be displayed in too small a window to be readable.)

Video Showing WhenU Security Hole (WMV format, 701KB)

I also tested other WhenU's products available from WhenU's Products page, including WhenUSearch, ClockSynce, Savenow, and Save!. In my limited testing, none of these products sought to update themselves at all. I was therefore unable to determine whether or not their auto-update systems in these programs included the same vulnerability as the WeatherCast program I tested.

Discussion

WhenU's security vulnerability precisely matches those previously found by Stefan Saroiu, Steven Gribble, and Henry Levy in programs from Claria and eZula, as reported in their Measurement and Analysis of Spyware in a University Environment (PDF) (sections 5 and 5.1). Like those vulnerabiilties, this vulnerability takes place in a program installed on users' computers, that is primarily intended to monitor the user's activity and show targeted advertisements. Like those vulnerabilities, this vulnerability results from lack of security or authenticity verification as to downloads of auto-updates. Like software from Claria, software from WhenU is such that users often don't even know they have it -- so it may be particularly dlfficult for users to cure the vulnerability, e.g. by removing the software at issue. (See PC Pitstop research finding that 85%+ of WhenU users don't know they have WhenU, and 74%+ of Claria users don't know they have Claria.)

The typical solution to auto-update vulnerabilities is cryptographic signing of executable updates. If such signing were in place, WhenU client software would be able to detect, and refuse to install, any auto-updates found not to be authentic WhenU software. Other companies have implemented such methods to assure the security of their products and their users (see e.g. Symantec). However, my testing indicates that WhenU had implemented no such methods in the WeatherCast software recently available on WhenU's own web site.

According to the SaveNow license agreement, WhenU cannot be held liable for any damage caused by security vulnerabiilties in its product. In fact, WhenU specifically disclaims liability for damage from future updates:

"Disclaimer of Warranty

"You expressly agree that the use of this software is at your own risk. The software is provided on an "As Is" basis, without warranty of any kind, including without limitation the warranties that it is free of defects and errors, fit for a particular purpose, or non-infringing. WhenU.com reserves the right to periodically update and/or upgrade the software at the company's discretion. Your installation of the software indicates your acceptance of potential future updates and/or upgrades to the software.

"The information and services provided by the software and/or WhenU.com are similarly provided on an "As Is" basis, without warranty of any kind. The accuracy and reliability of any information content or services provided by the software and or WhenU.com should be independently verified by you as the user prior to making purchase decisions and or any other decisions based on such information content and services."

WhenU's "Company Highlights" reports that more than 30 million active desktops currently run WhenU software. I have no way of knowing how many of these PCs obtained the version of WhenU that I tested, or obtained other versions of WhenU that included the same security vulnerability. If WhenU's disclaimer of warranty is effective as drafted, then none of these users has any recourse against WhenU for any damage they may suffer or may have suffered as a result of WhenU's failure to properly secure its software.

Responses from WhenU, Security Researchers

WhenU

Consistent with the CERT Vulnerability Disclosure Policy, I alerted WhenU staff to my findings of a vulnerability within WhenU software immediately after finding that vulnerability.

After a series of email exchanges, WhenU staff acknowledged the vulnerabiilty, stating in relevant part as follows:

"The version of WeatherCast available at www.whenu.com/products contained an obsolete version of our Save software (version 1.61) that was taken out of public distribution in September 2002. This obsolete version might have been subject to the type of attack noted ..."

WhenU staff offered no explanation as to why this "obsolete" and insecure product, purportedly taken out of public distribution in September 2002, nonetheless remained on WhenU's public web server through the evening of May 14, 2004.

If WhenU has inadequate procedures in place to assure that only secure, up-to-date software is provided even on WhenU's ordinary public web site, it is difficult to determine whether WhenU's other distribution methods are current and secure. Checking the software versions distributed by all of WhenU's various partners, affiliates, and drive-by download sites presents a far larger and more difficult challenge than checking the contents of WhenU's own web site. Accordingly, there is some basis to doubt that all these sources in fact offer only current WhenU code, without known vulnerabilities.

Indeed, this is not the only instance in which WhenU has failed to keep its web site up to date: For example, subsequent to my recent WhenU Violates Own Privacy Policy, WhenU revised one privacy policy posted to its web site, to admit to transmissions prohibited by WhenU's earlier privacy policy, but WhenU failed to revise numerous other commitments and other copies of its privacy policy elsewhere on WhenU's sites, in WhenU installer coe available on WhenU's sites, on WhenU's partners' sites and installers.

WhenU staff stated that the program I tested is not a significant source of WhenU software:

"[This version of the program] represents a minimal, non-significant part of our monthly distribution - less than 1/10 of one percent."

Meanwhile, for a company with as many users as WhenU, even 0.1% of users can be substantial. One tenth of a percent of WhenU's purported 30 million current desktops equals 30,000 vulnerable computers. (0.001 x 30,000,000 = 30,000) One tenth of a percent of all PCs that have previously run WhenU (100 million according to recent WhenU comments to the FTC) equals 100,000 vulnerable computers. If WhenU's auto-update code works as intended, and if new WhenU code repairs the vulnerability I identified, then these 30,000 to 100,000 machines should now be cured of the vulnerability. However, they each would have been vulnerable before and during their first auto-updates. Tens of thousands of vulnerable machines are sufficient to produce a large amount of junk email, denial of service "zombie" traffic, and other disruptive behavior.

 

Security Researchers

In a private email, Simson Garfinkel pointed out to me that if WhenU merely implements cryptographic signing of executable updates, some attacks might remain feasible. In particular, mere cryptographic signing could allow an attacker to cause a client software program to install an old patch with a known security hole, subsequently allowing the attacker to take advantage of that hold. Simson suggests that the appropriate response is a monotonically-increasing version number embedded within the signature, such that the auto-updater will only install a version of the code proven to be newer than the existing version, but will never revert to an older version.

Disclosures

My interest in spyware originally arose in part from a prior consulting engagement in which I served as an expert to parties adverse to Gator in litigation. See Washingtonpost.Newsweek Interactive Company, LLC, et al. v. the Gator Corporation. More recently, I have served as an expert or consultant to other parties adverse to spyware companies in litigation or contemplated litigation, including 1-800 Contacts, Quicken Loans, and Wells Fargo, all companies adverse to WhenU.

This page is my own work - created on my own, without approval by any client, without payment from any client.

Last Updated: June 2, 2004 - Sign up for notification of major updates and related work.