[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2015-4674 - TimeDoctor autoupdate over plain-HTTP
TimeDoctor claims to be a software that helps to improve the
productivity of teams, reduce time spent on distractions 
TimeDoctor autoupdate feature downloads and executes files over plain
HTTP and doesn't perform any check with the files. An attacker with
MITM capabilities (i.e., when user connects to a public wifi) could
override the Timedoctor subdomain and then execute custom binaries on
the machine where the application is running.
The update mechanisms first downloads update.xml  which has
the version number, url and a filename for the new
TimeDoctor Pro 18.104.22.168 for Windows
Other editions/versions maybe affected.
Vendor acknowledged the issue on Jun 18 and a new version should be
available today (Jun 29).