A researcher from Argentina has released an exploit package that can install malware on end user machines that run iTunes, Mac OS X, Winzip and a host of other popular software.

Evilgrade is the brainchild of Francisco Amato and works by exploiting weaknesses in the automatic upgrade feature of an affected program or operating system. It works only when a man-in-the-middle attack has first been carried out, but thanks to the domain name system vulnerability that has dominated security coverage ever since researcher Dan Kaminsky sounded the alarm three weeks ago, that's not much of a problem.

In addition to iTunes, Mac OS X, Winzip and Java, other programs that Evilgrade can attack include Winamp, Notebook, OpenOffice, Notepad++, Speedbit and the Linkedin Toolbar.

Amato, of Infobyte Computing Security Research, isn't the only researcher who's been thinking about security weaknesses in updating features. Security consultant Derek Callaway of Security Objectives has recently issued advisories warning against serious vulnerabilities in both Lenovo laptops and Cygwin, a tool that creates a Linux-like environment on Windows PCs. Like the exploits carried out by Evilgrade, the attacks Callaway warns of also rely on a man-in-the-middle condition, in which attackers are able to sit in between the victim and a trusted site.

The DNS bug discovered by Kaminsky isn't the only way to create a man-in-the-middle condition. Other attacks involving DNS, ARP and DHCP spoofing can also suffice, and with the recent release of a program called KARMetaSploitt (a combination of Metasploit and KARMA that's included within the latest BackTrack LiveCD), there's yet another menu-driven way to achieve the effect. ®

Related stories

• New OS X research warns of stealthier Mac attacks (21 January 2009)
• Green Hills spins out military Integrity for masses (5 December 2008)
• Updated Lame Mac Trojan limps into view (19 November 2008)
• Apple fans besieged by iPhone Trojan and iTunes attack (19 September 2008)
• Apple skewered over missing DNS patch (29 July 2008)
• Updated World's biggest ISPs drag feet on critical DNS patch (25 July 2008)
• Exploit code for Kaminsky DNS bug goes wild (24 July 2008)
• Researcher's hypothesis may expose uber-secret DNS flaw (21 July 2008)
• Vendors form alliance to fix DNS poisoning flaw (9 July 2008)
• Web browsers face crisis of security confidence (23 June 2008)
• Firefox developers tinker with new security protections (finally) (20 May 2008)
• ToorCon ISP typo pimping exposes users to fraudulent web pages (20 April 2008)
• DNS lords expose netizens to 'poisoning' (15 April 2008)
• RSA Demo shows how web attack threatens fabric of the universe (9 April 2008)
• Insecure indexing risk dissected (1 March 2005)