Over the past few days, Wikileaks posted a series of documents purported to be from the CIA in a dump of files dubbed "Vault 7". Within those documents are references to a project called "Fine Dining" which details how a field agent can alter their own software on a portable device to include additional functionality to enable spying and other covert activities while appearing innocuous to those who happen to see the agent using their portable software. The process is detailed well in a Q&A by Sophos software.
List of Affected Software
The list of affected software includes VLC Player Portable, Irfan View, Chrome, Opera, Firefox, ClamWin, Kaspersky TDSS Killer, McAfee Stinger, Sophos Virus Removal Tool, Thunderbird, Opera Mail, Foxit Reader, LibreOffice, Prezi, BabelPad, Notepad++, Skype, Iperius Backup, Sandisk Secure Access, U3 Software, 2048, LBreakout2, 7-Zip Portable and Portable Linux CMD Prompt. Some PortableApps.com Launchers are also affected by these techniques.
How The Vulnerability Is Exploited
In most affected apps, the app itself is vulnerable. Thunderbird, for example, is vulnerable if you add a DLL in a specific location. Opera Mail is vulnerable to having one of its built-in DLLs replaced with something else. When the field agent's DLL is loaded by the base app, the DLL will then do whatever it is coded to do (copy files, listen in on network traffic, etc). The base app will continue working as usual while this occurs allowing the agent to play a game, check their email, or browse the web. The leaked documents detail which specific DLLs to use for each app.
How We Mitigate The Risk
Today's PortableApps.com Platform release adds a security module to scan for the specific techniques outlined above. Every DLL addition recommended in the leaked document is specifically scanned for by the platform before a vulnerable app is launched. This includes DLLs located alongside an AppNamePortable.exe launcher whether or not it is affected as some apps will load DLLs from there as well as their own path. DLLs listed in the leak as vulnerable to replacement within an affected app are securely SHA256 hashed by the platform and compared to the known hash for that version of the app's DLL.
Why Mitigate When Users Aren't Affected
We are choosing to mitigate this risk even though our users are currently unaffected by this issue due to the possibility that new attacks against users could be created using these techniques in the future now that they are more widely known and publicized. While our techniques won't mitigate every attack, making our users more secure is important to us.
Here are examples of the two new alerts that have been added to the PortableApps.com Platform:
Going forward, we will be watching for additional affected apps and additional vulnerable locations within the already affected apps. We will also be updating the PA.c Launchers to address any existing side by side DLL vulnerabilities as well as adding hardening features to allow the PA.c Launchers to help protect and verify the apps directly. We'll also be updating the base apps like Skype, Chrome, Thunderbird, etc as soon as their publishers address the vulnerabilities within them and release new versions. We hope this addresses any concerns you may have and helps you feel confident about enjoying your portable apps every day!