protip: it is not the reporter's responsibility to explain to you exactly why a bug is exploitable
especially not when it's one of the most well-documented threat vectors in all of security
Show this thread
1
5
10
This Tweet was deleted by the Tweet author. Learn more
Well… to be fair, it’s more complicated than that. According to that thread, VLC apparently verifies downloaded updates using GPG, although rcombs then found a bug in that
2
This Tweet was deleted by the Tweet author. Learn more
If they had proper signature verification including prevention of downgrade attacks it wouldn't be needed for the baseline update security, but it's still useful. An attacker modifying the traffic could still do things like a disk space DoS by providing an infinite size file.
They could make it robust against that kind of disk space exhaustion too, but I still think it's a good idea to use HTTPS, ideally via system libraries that get updated automatically and aren't going to be adding any real attack surface since it's already heavily used / exposed.
Other than pretending an update is available and then serving an old release for a downgrade attack, an attacker also has the opportunity to serve the description of the update to trick the user into installing malware which is vaguely similar to https://github.com/spesmilo/electrum/issues/4968….