This is not news, the security community has been theorizing about such attacks at least as early as 2002-2003, and I've seen the first in the wild in 2005 or 2006. Also see the last (or second-to-last) BlackHat confs, and one of the last CCC congresses/camps - where such attacks were bloody live, and by the shitload (especially for "smart" phones).
The guy who wrote this entry at networkdefend.blogspot.ca also is a fearmonger, because any software that's really any good at all has its updates cryptographically signed, so unless you can spoof the CA this won't work (and, as much as I loathe MS, this includes Windows/Microsoft Update).
You need to remember that a) Users running as Admins on their machines can override the certificate warning and b) that Windows *still* allows you to override cert warnings even for malware. (Don't even get me started on that peeve.)
I've now seen two samples of this problem in the "wild" and in both cases it was way too easy (as an admin) to allow things to progress toward disaster. One was for Flash, the other for Java.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
(no subject)
Date: 2012-05-10 07:20 pm (UTC)(no subject)
Date: 2012-05-10 08:38 pm (UTC)The guy who wrote this entry at networkdefend.blogspot.ca also is a fearmonger, because any software that's really any good at all has its updates cryptographically signed, so unless you can spoof the CA this won't work (and, as much as I loathe MS, this includes Windows/Microsoft Update).
(no subject)
Date: 2012-05-13 05:04 am (UTC)I've now seen two samples of this problem in the "wild" and in both cases it was way too easy (as an admin) to allow things to progress toward disaster. One was for Flash, the other for Java.
So, fearmongering? Yeeeeeesss. . . yes I am.
Cheers.