Possible SSL Protocol Filtering Issue?

[itman 1,659]

Ref. https://forum.eset.com/topic/5556-new-malware-got-past-nod32/

 

Interesting. I had something similar happen but with a different twist.

 

I use Thunderbird as my e-mail client. Recently I had Thunderbird open reading my e-mail and I received a pop-up about Thunderbird having blocked an invalid update. Posted this on the Mozilla TBird forum and mods there had no clue as to what that error message was or where it originated. And it gets stranger .......... 

 

I just recently discovered there is an issue with Mozilla updates for Firefox, Thunderbird, etc. if Eset SSL protocol filtering is enabled. Appears Mozilla rejects Eset's root certificate and no connection is allowed for updating and the like. Checking my Thunderbird update logs indeed showed I had not had an update since Eset had been installed. Fix is to exclude Mozilla certificates from Eset SSL protocol filtering which I have subsequently done. So either this failed update message was bogus; or an attempt had been made to actually update Thunderbird, the update was bogus, and thankfully Thunderbird rejected it. 

 

The referenced thread and my experience makes me wonder if perhaps a man-in-the-middle attack can occur when Eset's SSL protocol filtering does not work properly? Also of concern is that no diagnostic message from Eset is displayed when there is an issue with a web site accepting Eset's root certificate.

Edited September 13, 2015 by itman

[TomasP 316]

Hello,

 

There are no mechanisms to report whether our certificate is being used or not. As for the Mozilla products, they have their own list of accepted certificates, so you can check that list to see whether the ESET certificate was imported and is being used correctly.

 

T.

[itman 1,659]

Hello,

 

There are no mechanisms to report whether our certificate is being used or not. As for the Mozilla products, they have their own list of accepted certificates, so you can check that list to see whether the ESET certificate was imported and is being used correctly.

 

T.

Yes, Eset cert. is installed in Thunderbird. However, that is not the issue since that cert. is only used for web site validation.

 

In default installation mode, Thunderbird will install the Mozilla Maintenance service and use that to perform silent background updating. In other words, it is using svchost.exe to connect to the Mozilla update servers. Since Eset's SSL protocol scanning is enabled for all port 443 communication, I assume the cert. being sent to those servers to establish a TLS session is the Eset root certificate from the Windows root CA store? I assume the Mozilla update servers would reject that cert. just like it does for a Firefox update? 

 

One solution is to just disable svchost.exe from all SSL protocol scanning. I just might do that since I believe there is also an issue with Adobe's ARM service and God knows what else. On the other hand if a malware service was to get installed, it could send encrypted ###### un-scanned and undetected.

 

As far as Thunderbird goes, I now realize that using Mozilla's Maintenance service and allowing silent updating is a big security risk. In this mode, all UAC elevated prompting is bypassed. I have changed the update option in Thunderbird to "notify about updates." This method allows for updating via the thunderbird.exe process with elevated UAC prompt and the Mozilla Maintenance service is never started or used. Again I assume that thunderbird.exe will initiate the update server TLS handshake using the Eset root CA OS certificate and it will in turn be rejected. I have therefore excluded the following Mozilla certificates from SSL protocol scanning. The test will be when Mozilla serves up its next Thunderbird update. 

 

-EDIT- Further risks associated with using Mozilla Maintenance service noted here: https://wizzley.com/mozilla-maintenance-service-a-security-issue/ . Note that according to this article you have to either disable the service or uninstall it to actually prevent update downloads from the service.

 

Edited September 15, 2015 by itman