[7541] in bugtraq
Re: Yahoo Pager auto-update
daemon@ATHENA.MIT.EDU (Sergiy Zhuk)
Thu Aug 6 12:55:21 1998
Date: Wed, 5 Aug 1998 16:51:25 -0700
Reply-To: Sergiy Zhuk <serge@YAHOO-INC.COM>
From: Sergiy Zhuk <serge@YAHOO-INC.COM>
X-To: Ralf Rudolph <rrudolph@ARTIFEX.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <003B66F73C29D21194D9006097D8E5BEBF13@nt45.artifex.de>
hi
On Wed, 5 Aug 1998, Ralf Rudolph wrote:
> Today, when I started the yahoo pager, it automatically downloaded
> executable files from http://pager.yahoo.com/pager/download/ (files
> ypager.ex_, d23-fw.dl_, myyahoo.dl_ and possibly others) and installed
> them without asking me. AFTER the upgrade, a message "Application
> successfully upgraded!" was displayed.
well, according to our engineers, Yahoo Pager doesn't update its binaries
automatically, you'll be asked to confirm the update.
But the updater itself *will* be updated automatically w/o your confirmation
which is not a Good Thing.
They are aware of it and they're trying to fix it.
Simple user confirmation doesn't protect your files anyway.
One should probably check the integrity of files or/and sign them somehow.
> btw: The yahoo pager is only one example: Many software vendors offer
> online upgrades. It just sounds like a bad idea to me to allow this
yes, Symantec, for example...
rgds,
serge
--
+-------------------------------------+-------------------------------------+
| Sergiy Zhuk | serge@yahoo-inc.com |
| Technical Yahoo | +1-408-731-3546 |
| Yahoo!, Inc | http://www.yahoo.com/ |
+-------------------------------------+-------------------------------------+
