Evilgrade is like Firesheep for Software Updates

Firesheep is firesheep because it's easy enough for random college freshmen to use. This is a commandline tool so it is no Firesheep.

Are the latest versions of Skype, VMWare, and others listed there at risk of software-update hijacking, with no cryptographic verification of update payloads?

Seems like something metasploit would do. If you're a budding security nut and you haven't tried some 'sploitin, you should definitely give it a go.

Here's the list of supported apps:<p>* Freerip 3.30<p>* Jet photo 4.7.2<p>* Teamviewer 5.1.9385<p>* ISOpen 4.5.0<p>* Istat<p>* Gom 2.1.25.5015<p>* Atube catcher 1.0.300<p>* Vidbox 7.5<p>* Ccleaner 2.30.1130<p>* Fcleaner 1.2.9.409<p>* Allmynotes 1.26<p>* Notepad++ 5.8.2<p>* Java 1.6.0_22 winxp/win7<p>* aMSN 0.98.3<p>* Appleupdate &#60;= 2.1.1.116 ( Safari 5.0.2 7533.18.5, &#60;= Itunes 10.0.1.22, &#60;= Quicktime 7.6.8 1675)<p>* Mirc 7.14<p>* Windows update (ie6 lastversion, ie7 7.0.5730.13, ie8 8.0.60001.18702, Microsoft works)<p>* Dap 9.5.0.3<p>* Winscp 4.2.9<p>* AutoIt Script 3.3.6.1<p>* Clamwin 0.96.0.1<p>* AppTapp Installer 3.11 (Iphone/Itunes)<p>* getjar (facebook.com)<p>* Google Analytics Javascript injection<p>* Speedbit Optimizer 3.0 / Video Acceleration 2.2.1.8<p>* Winamp 5.581<p>* TechTracker (cnet) 1.3.1 (Build 55)<p>* Nokiasoftware firmware update 2.4.8es * (Windows software)<p>* Nokia firmware v20.2.011<p>* BSplayer 2.53.1034<p>* Apt ( &#60; Ubuntu 10.04 LTS)<p>* Ubertwitter 4.6 (0.971)<p>* Blackberry Facebook 1.7.0.22 | Twitter 1.0.0.45<p>* Cpan 1.9402<p>* VirtualBox (3.2.8 )<p>* Express talk<p>* Filezilla<p>* Flashget<p>* Miranda<p>* Orbit<p>* Photoscape<p>* Panda Antirootkit<p>* Skype.<p>* Sunbelt<p>* Superantispyware<p>* Trillian &#60;= 5.0.0.26<p>* Adium 1.3.10 (Sparkle Framework)<p>* VMware<p>* more...

Firesheep only requires that you sniff unencrypted traffic but this requires that you make DNS requests resolve to an address of your choice. The latter is much harder to do. You either need to control the wireless router or break the DNS server some way.

It says it supports Adium (Sparkle) updates, but Adium definitely uses digital signatures, see /Applications/Adium.app/Contents/Resources/dsa_pub.pem . So...is there something I'm missing? Has anybody tested this?

Can anyone outline how a software package would protect against this?

I you don't get it I recommend watching the screencast <a href="http://www.infobytesec.com/demo/evilgrade.htm" rel="nofollow">http://www.infobytesec.com/demo/evilgrade.htm</a>

What's "Internal DNS access"? Host file access?