Back to list
CVE-2015-4674 - TimeDoctor autoupdate over plain-HTTP
Jun 29 2015 11:49PM
Fernando MuÃ±oz (fernando null-life com)
TimeDoctor claims to be a software that helps to improve the
productivity of teams, reduce time spent on distractions 
TimeDoctor autoupdate feature downloads and executes files over plain
HTTP and doesn't perform any check with the files. An attacker with
MITM capabilities (i.e., when user connects to a public wifi) could
override the Timedoctor subdomain and then execute custom binaries on
the machine where the application is running.
The update mechanisms first downloads update.xml  which has
the version number, url and a filename for the new
TimeDoctor Pro 18.104.22.168 for Windows
Other editions/versions maybe affected.
Vendor acknowledged the issue on Jun 18 and a new version should be
available today (Jun 29).
[ reply ]
Copyright 2010, SecurityFocus