The national ID card software website, which gives access to Estonian electronic services such as digital signing, said on August 22 that a critical security vulnerability had been fixed and that a new software update is available.
"A critical error has been fixed in the processing of DDOC files. Exploiting this error could have rendered it possible to overwrite random files in the user rights of the victim's computer, if the attacker were to lure the user in to opening specially formatted digital signature files,“ said the software downloading website.
Although the potential threat was discovered through testing and not due to any reported attack, a report by Eesti Päevaleht on August 27 that around 30,000 users have yet to update their software elicited concern among critics.
Their main axe to grind was that people have been put in a situation where they are encouraged to use services with security vulnerabilities (granted, security problems have so far been theoretical and there is no absolutely secure alternative). Furthermore, critics said, many users are not tech-savvy enough to know to update the software themselves, although all versions 3.5 and above of the software update automatically within a week. Also, they said the public announcement of the fixed bug has not been sufficient.
One critic, IT specialist Henrik Roonemaa, otherwise a proponent of e-services, told Postimees:
"[W]e are in a situation where practically all Estonians are required to use software that opens the computer to attackers. It is quite an unpleasant situation because the ID card software is indisputably on a lot of people's computers and most of them are not IT-savvy. I think that almost no one visits the Certification Center's website to look at technical documents.“
Noting the faulty software could remain on the computers of "thousands or tens of thousands" for years, he said: "Today the Certification Center will patch up the security hole with the new software version. But the main question is how can we make sure that the update will reach every Estonian's computer?“
Information System Authority press representative Liisa Tallinn told Eesti Päevaleht that around 60,000 people use digital signing each month, the majority of whom have software versions that update automatically.
Postimees also quoted Tallinn explaining the nature of the bug: "To our knowledge, no such attack has taken place. In order to take over a computer, the attacker must select a specific individual, to whom a digitally signed final can be sent. The receiver of the file must be gullible enough to open it. Then the attacker may be able to overwrite files. It's not a vulnerability that is just lying around on the Internet somewhere and can randomly strike a computer user. It must be a targeted attack [...]"
But Roonemaa, Delfi reported, took issue with the implication that only a "gullible“ user will be in trouble. "If [...] all that is needed is to open a malicious DDOC file that has been sent to you by e-mail, then I think it is extremely strange to say: 'but who would open a DDOC file received by e-mail,'“ Roonemaa said.