FAQ: Potential vulnerability in Check for Updates function in Domain Time
This article applies to Domain Time II.
Last Updated: 09 Apr 2021
Greyware versions of Domain Time Client, Server, and Manager have the option of checking with Greyware's server to see
if newer versions of the software is available for download. Versions of Domain Time prior to 5.2.b.20210331 have a
potential vulnerability, which allows a malicious Man-At-Same-Site program's reply to sneak in before the reply from
Greyware's server. This could lead an incautious user to visit a site other than Greyware to download other software
masquerading as a Greyware update.
This is a highly contrived situation, which relies on luck to succeed. We have no reports of this vulnerability
actually being exploited, but proof of concept testing in a lab shows it is possible.
Upgrade to the latest version of Domain Time. Version 5.2.b.20210331 and newer are not susceptible to this issue.
If you are unable to upgrade to the latest version of Domain Time, you may mitigate the vulnerability by doing the following:
- By deleting the DTTRAY.EXE program.
On Domain Time Client and Server, the check for updates function is provided by the System Tray Icon program (DTTRAY.EXE).
The System Tray is not required for Domain Time to function, so you may simply choose to delete the