Categories
Zango in security risk shocker
"I was not given permission to disclose the email conversations that took place". Labels: Zango
Thierry Zoller
Here's a good approximation of what probably happened between 180 and the guy who discovered this latest Zango problem:
Thierry: "Hi Mr Zango type guy! Your software hits a 10.0 (high) on the Common Vulnerability Scoring System".
Zango: "Release teh Lollercakes!"
The problem? When Zango is installed, chunks of software are NOT checked for integrity or authenticity and execute as soon as they download.
Whoops.
Apparently the bad guys are able to tamper with either the initial install, or any updates that follow on from that.
Double whoops. This not-too-great scenario can take place in the following situations:
Now, the most worrying part in the writeup is this:
- The Auto update problem with Zango Adware remains, there was no fix.
- The Adware component is distributed by over 10.000 affilates everyday and I expect it to be installed on millions of workstations (IMO).
- If you compromise (or alter) a DNS server this gives immediate access to internal client machines.
.....they didn't fix it?
That's slightly worrying. Then again, it's not like I'm going to get anything out of 180 themselves on this subject. After tying their software into the Yapbrowser UA pr0n fiasco, they pulled their software at the speed of light and didn't make any public comment. I'd be vaguely surprised if they said anything in public about this one.
The customer is always right, so it doesn't pay to annoy them. (180 Blog)
You said it, not me.
Adware, insecure? Who'd have thought. I'm totally and utterly shocked. Seriously, my jaw is hitting the floor in amazement. And for those in the cheap seats at the back, I'm being sarcastic. No need to rattle your jewellery though, just do what the advisory says and block access to static.zangocash.com or zangocash.com altogether at the firewall.
