whosmatt / uvmod

Web-based firmware patcher for various Quansheng radios
https://whosmatt.github.io/uvmod/
285 stars 51 forks source link

Download updater software - security concern #7

Closed ashes00 closed 1 year ago

ashes00 commented 1 year ago

Not sure if this is the best way to notify of this security issue. However its an issue,and needs to be reported. Upon cloning the project, and reviewing the "Download updater software" section I find that the uvk5updater.zip and embedded AnonymPSUpdater_Setup_EN.exe are lighting up VirusTotal indicating these files are malicious. Strangely enough the MFG was the one I would be more concerned with. It does have 1 issue, but thats an issue for them. While I understand we do not have to use the updater software exe itself, but having malicious executable included seems like a very bad idea. Can someone address this concern? Please see the VirusTotal links below for full details.

AnonymPSUpdater_Setup_EN.exe -> https://www.virustotal.com/gui/file/0872b06154e03c4ba5bddbfc153a99bd9b7a337742881b7a22dd7caf3d95d75f

uvk5updater.zip -> https://www.virustotal.com/gui/file/5f4757ed52fa0de590dee713a6dc2ccdea05c1afb2f82ff1e7c7484aa54ebddc

Thanks Ash,

whosmatt commented 1 year ago

Neither of these files are malicious. Getting a hit on virustotal is very common, and in this case you can even see that the big antivirus products dont flag it, and all the flags it got were generic rather than specific. Ive taken a look at heuristics and could not find anything malicious about the updater.

On Thu, Aug 17, 2023, 17:39 ashes00 @.***> wrote:

Not sure if this is the best way to notify of this security issue. However its an issue,and needs to be reported. Upon cloning the project, and reviewing the "Download updater software" section I find that the uvk5updater.zip and embedded AnonymPSUpdater_Setup_EN.exe are lighting up VirusTotal indicating these files are malicious. Strangely enough the MFG was the one I would be more concerned with. It does have 1 issue, but thats an issue for them. While I understand we do not have to use the updater software exe itself, but having malicious executable included seems like a very bad idea. Can someone address this concern? Please see the VirusTotal links below for full details.

AnonymPSUpdater_Setup_EN.exe -> https://www.virustotal.com/gui/file/0872b06154e03c4ba5bddbfc153a99bd9b7a337742881b7a22dd7caf3d95d75f

uvk5updater.zip -> https://www.virustotal.com/gui/file/5f4757ed52fa0de590dee713a6dc2ccdea05c1afb2f82ff1e7c7484aa54ebddc

Thanks Ash,

— Reply to this email directly, view it on GitHub https://github.com/whosmatt/uvmod/issues/7, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACSFI2YZ3WWGZ2IY3XUVMBLXVY3LVANCNFSM6AAAAAA3UITUZ4 . You are receiving this because you are subscribed to this thread.Message ID: @.***>