June 15th, 2009

China confirms security flaws in Green Dam, rushes to release a patch

Posted by Dancho Danchev @ 2:09 am

Categories: Arbitrary Code Execution, Botnets, Governments, Hackers, Patch Watch, People's Republic of China, Privacy, Vulnerability research

Tags: Software, China, Tools & Techniques, Security, Management, Dancho Danchev

China’s Ministry of Industry and Information Technology has instructed the developers of the Green Dam censorware, to briefly release a patch in regard to last week’s published analysis detailing the possibility of remotely exploitable vulnerabilities within the software.

Jinhui Computer System Engineering Co, developer of Green Dam, insisted that the software is just a vulnerable as any other, and that their expertise is in coding Internet filtering software, and not necessarily one with security in mind — pretty interesting comment taking into consideration the fact that the developer earned millions in the process of coding it.

Moreover, despite the fact that Green Dam made the headlines in 2009, and quickly received the necessary reverse-engineering attention which exposed the security flaws within, the vulnerable version of censorware has been shipped to Chinese users as of early 2008.

According to Green Dam’s web site, as of April, 2009 there have been over 3.5 million downloads of the software. In less than a month, following an advertising campaign that featured download link at 160 of China’s most popular web sites, the number of downloads peaked at 7,172,500 with the majority of Chinese provinces, schools and universities having already installed it on their networks.

This massive adoption can in fact quickly mature into the security disaster, researchers Scott Wolchok, Randy Yao, and J. Alex Halderman talked about in their analysis, and exploitation of the software may have already been taking place without any public reports of it.

With China’s recent announcement that it make the censorware an inseperable part of each and every Windows running PC purchased after the 1sth of July, through an agreement with China’s Lenovo, it may well be contributing to the creation of the “Great Botnet” of China.

The vendor of Green Dam is also planning a legal action against the reverse engineering of its product according to a quote published in People’s Daily Online. Zhang Chenmin, manager at Zhengzhou-based Jinhui Computer System Engineering Co. :

“expressed anger at Halderman’s report. “It is not responsible to crack somebody’s software and publish the details, which are commercial secrets, on the Internet. They (the professors) have infringed the copyright of our product. “I think the negative comments and attacks on Green Dam are intentional,” Zhang said, adding his company plans to take legal action against the professors.”

I wonder whether they’d still be having the same attitude if malicious attackers used Green Dam’s trivial remotely exploitable vulnerabilities, for creating a botnet whose size would have made Conficker look like an operation run by amateurs.