Manuel Kehl

Security Update for the Windows version of Go For It!

A new version (1.3.5) of Go For It! for Windows has been published. Windows users are advised to update, as this is a security release.

As zeblau pointed out on Github, the last Windows build of Go For It! shows suspicious activity when scanned with Avast.

As I am not using Windows myself, I am very grateful for important hints like that and fired up my Windows VM immediately to investigate into the issue. I have now compiled the most recent code and downloaded a new version of Gtk that is being shipped with the installer, which results in an exe file passing Avast’s checks.

What to do now?

I adivse every user of the previously published installer (1.3) to update immediately! Just in case there was actual malware attached to the binary, it might be adivsable to install some sort of antivirus software (especially Avast might be intersting in this case) and perform a full system check.

What happened?

I hope and honestly do not expect that the binary was actually infected, because the only “weak spot” in the packaging chain might have been my old Windows VM. Just like my current Windows VM, it has been set up for the sole purpose of compiling and packaging Go For It! for Windows and therefore contained nearly no external software at all. Even an operating system like Windows cannot be that “virus prone” – can it?

The tools installed were basically the Vala for Windows Installer, a recent version of GTK from the official GNOME download site and Inno Setup for packaging the installer. I would consider all of the obove sources trustworthy. All my Windows installations are up-to-date and of “genuine” nature, as both the ISO and the serial were acquired officially in terms of a university program.

Conclusion

Henceforth I will keep Avast active despite the few third party tools installed on my Windows installation. Every future release is going to be checked before being uploaded!

Moreover an update notification mechanism will be implemented. This will enable Windows users, who do not have the convenience of a proper package manager, to get notified about future updates in time.

I apologize for what happened - if something happened at all - and hope that the incident did not cause too many inconveniences. I gave my best to deal with this issue in the most transparent manner and will not publish a Windows binary again, before having performed a scan with Avast.

Thank you for your attention!

UPDATE:

Zeblau repeated the check with several anti malware tools, none of them detecting a thread. It can therefore be deduced that my previous assumptions considering a false alarm were correct. I will however keep up the security measures mentioned above, because they make sense nevertheless!

comments powered by Disqus