ClickOnce MITM Attacks

You're browsing without Javascript! If you have no idea what that means, you should ask your technical friend about it.
Otherwise - kudos. The website should work - with the exception of comments. You can learn what they are; however, by visiting /comments.py?postid=blog-clickonce_mitm
If it doesn't, please contact me and let me know.

21 July 2010 00:44:23 EST

I wrote a bugtraq post about the Microsoft ClickOnce Installer/Updater system, and how it's relatively easy to strip away code signing and man-in-the-middle an update and inject your malicious code. Here's the writeup.

Comments

/comments.py?postid=blog-clickonce_mitm

Add a comment...

Name: required
E-Mail: required, hidden, gravatared
Website:
Comment: required, markdown enabled (help)

you type:	you see:
italics	italics
bold	bold
[stolen from reddit!](http://reddit.com)	stolen from reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"