Thread: Our First Modular Release Is Up!
View Single Post
  #29  
Unread 03-03-2005, 03:16 PM
Quib Quib is offline
A Griffon
This person is a EQ2Map developer.
Interface Author - Click to view interfaces
  
Join Date: Jan 2005
Posts: 720
Default
Quote:
Originally Posted by Humudce
I understand completely where Quib is coming from on this, a malicious version could wreak havok on our community. Not sure if this is possible or not but would it be possible for the Updater to check it's own MD5 Checksum, and verify that against a value on the Update Site. If the Checksums do not match, the updater does not run. Could this also work as follows, say there is a newer version of the Updater Available, the Auto Updater matches the Old Version stored on the Updater site, and a Message Box appears informing the user that they must download the new Offiical Release of the Updater.
A modified version could easily make the auto-updater look at a different web-based MD5 value, bypassing any safety precautions of checksum'ing itself. As it is now, someone could modify the updater to download some nasty executable, but it has no way of overwriting itself or running any executable code it downloads.

On second thought, it does: it could download an exe and use the auto-launch EQ2 routine (modified) to execute this newly downloaded file.

I bet it'd take me 30 minutes or less to hex edit the current updater exe to do this (just as an example for how easy it'd be to make a malicious version).

All paranoia aside, I don't think the auto-updater will have any reason to update itself after we agree on a final version. The code will be flexible to accept a downloaded index of files (well, it also ready does this) and their checksums to update (not a hard-coded list) and the news download could tell users if there is (on the off chance) a new version of the updater available.

Basic rule for safety, get the updater from maps.eq2interface.com or from the EQ2MAP download section and you'll be fine (well, once it's at those places). Also make sure the updater you're getting was posted by taco-man as he'll be the only one uploading it from the EQ2MAP team. The real trick will be making sure the general EQ2 public knows to never get a copy of the updater from somewhere else.

Hopefully this post didn't scare anyone; just trying to make sure you all know the risks invloved with using executables, and especially ones that have internet access.

Quib
Reply With Quote