Joel
Active Member
It has come to my attention that a cryptographic key used to sign the binaries which Eraser is built with (nightly builds) was leaked and stored on a publicly-available source repository for a few months prior my discovery. For the majority of users using Eraser and only using official releases, this post has no bearing on the security of your Eraser install. However, if you are using any of the Nightly installs, this post will concern you.
Background
All of Eraser 6's binaries are signed with a cryptographic key to ensure the authenticity of the code. This prevents accidental (and deliberate) changes to the code after packaging so that the copies downloaded are safe (and verifiably so.) Two different keys are used for this purpose: a .NET Strong Name key, and an Authenticode certificate. The key which was committed to the repository was a .NET Strong Name.
.NET strong names are used to resolve conflicts between libraries (assemblies) with the same name, and the same/similar version. Eraser uses this information primarily in the plugin framework, where code from (potentially) unknown sources are loaded and run as part of Eraser's execution. Plugins are always loaded only if the strong names of the main Eraser binary match, and if the plugin is signed via Authenticode (two-factor: both requirements must be met before binaries are automatically loaded).
Impact
Due to this, it is possible for a malicious attacker to recompile a malicious plugin, signed with the Eraser code key, and released as a plugin. However, for the code to be loaded by Eraser, it has also to be signed with a valid Authenticode key that is trusted by Windows. Therefore, while malicious code can potentially be loaded into a nightly build's process space, the identity of the attacker would be identifiable, provided the same attacker's root certificates are not known to be trusted.
Workaround
All nightly build users are strongly recommended to uninstall all existing nightly builds (both 6.0 and 6.2 branches, regardless of age). Nightly builds after the 10th of May will be using a new strong name key and will not be not affected.
Should that not be possible, disable all plugins that can be disabled in Eraser's settings. The Default Eraser plugin cannot be disabled, and is by design.
Resolution
A new strong name key will be generated and stored on the server. Builds using the new strong name will not be affected by this.
Old builds signed with the old key will no longer be accessible.
Background
All of Eraser 6's binaries are signed with a cryptographic key to ensure the authenticity of the code. This prevents accidental (and deliberate) changes to the code after packaging so that the copies downloaded are safe (and verifiably so.) Two different keys are used for this purpose: a .NET Strong Name key, and an Authenticode certificate. The key which was committed to the repository was a .NET Strong Name.
.NET strong names are used to resolve conflicts between libraries (assemblies) with the same name, and the same/similar version. Eraser uses this information primarily in the plugin framework, where code from (potentially) unknown sources are loaded and run as part of Eraser's execution. Plugins are always loaded only if the strong names of the main Eraser binary match, and if the plugin is signed via Authenticode (two-factor: both requirements must be met before binaries are automatically loaded).
Impact
Due to this, it is possible for a malicious attacker to recompile a malicious plugin, signed with the Eraser code key, and released as a plugin. However, for the code to be loaded by Eraser, it has also to be signed with a valid Authenticode key that is trusted by Windows. Therefore, while malicious code can potentially be loaded into a nightly build's process space, the identity of the attacker would be identifiable, provided the same attacker's root certificates are not known to be trusted.
Workaround
All nightly build users are strongly recommended to uninstall all existing nightly builds (both 6.0 and 6.2 branches, regardless of age). Nightly builds after the 10th of May will be using a new strong name key and will not be not affected.
Should that not be possible, disable all plugins that can be disabled in Eraser's settings. The Default Eraser plugin cannot be disabled, and is by design.
Resolution
A new strong name key will be generated and stored on the server. Builds using the new strong name will not be affected by this.
Old builds signed with the old key will no longer be accessible.