Given that I’m experiencing odd lockups of Eclipse 3.3 on Ubuntu Linux on two systems (Ubuntu 7.something on the laptop, and 8.04.1 on the desktop), I thought I’d try Eclipse 3.4.

This led to a strange security incident which hasn’t reoccurred, despite me trying to reproduce it. Of course, I didn’t write any notes, take screenshots (duh, idiot), so can’t give exact details… but here goes…

Extracted eclipse-SDK-3.4-linux-gtk.tar.gz to /opt/eclipse, and started adding my usual tranche of plugins:

* Checkstyle http://eclipse-cs.sourceforge.net/update
* EclEmma http://update.eclemma.org/
* Maven 2 http://m2eclipse.sonatype.org/update/
* Subclipse http://subclipse.tigris.org/update_1.2.x
* Spring IDE http://springide.org/updatesite

It was when I got to Maven 2 that Odd Things Started Happening….

Eclipse 3.4 has a new Software Update system. I didn’t have any major problems with with the old one, but perhaps they just felt it needed replacing. Anyway, this one’s more magical. It does things without telling you behind the scenes. So, when you add an update URL, it appears in the sites list.

Also, for added lossage points, now you don’t get the option to enter the human-understandable name for this update site, so now I have to remember that http://eclipse-cs.sourceforge.net/update is the update site for the Checkstyle plugin. This may seem rather geeky, but it is important – it is the thing that hopefully prevented this becoming a Defcon One incident. Some plugins seem to backfill the URL with the human-understandable update site name, e.g. after installing the maven 2 plugin, the URL is replaced with “Maven Integration for Eclipse Update Site”.

I digress…

So you add the URL, and without giving any kind of indication that it’s doing so (hourglass cursor, you know, been around since The Very First Mac?), the updater goes off and fetches some *stuff* from the remote site then refreshes/expands the tree view of update sites with the list of updates possible from that site. If this wasn’t bad enough, it can add lots of other sites you didn’t ask for, presumably to satisfy dependencies.

Anyway, the Maven 2 plugin updates list appears, showing the http://m2eclipse.sonatype.org/update/ URL, and the list of packages I could install. Yay, off we go for some lovely IDE-based dependency management fun… but wait…

There’s also another update site that’s appeared, and sorry I didn’t take screenshots or write it down, it mentioned something like http://m2eclipse.codehaus.org/update/ – OK, that’s not so bad, perhaps some of the Maven plugin is hosted over at codehaus, not out of the ordinary, a lot of the Maven work is hosted there.

And then another update site appears, something with a .pp.ru domain….

At this point, I cancel the installation (it’s not as though I’ve started downloading – at least, I haven’t had the chance to veto any download, despite Eclipse downloading stuff without my consent.). Get the hell out. Something odd is happening here. Scan the system, logs, nothing nasty. Damn, no notes/screenshots – let’s reproduce it and report it. I vape /opt/eclipse3.4, and try again, but it doesn’t reproduce.

Is there a vulnerability in the software update mechanism that someone could exploit?

So, careful when you update Eclipse 3.4.

Advertisements