In Depth
The Security of Automatic Updates
Automatic software updates are supposed to make your life easier. But vulnerable updating mechanisms can help your enemies instead.
By Simson Garfinkel
The UMass researchers discovered that many programs don't authenticate their updates. That may not be so surprising—lots of software has security vulnerabilities, after all. But what is surprising is that among the products that didn't have digitally signed updates were McAfee VirusScan and McAfee Virex, two antivirus, anti-malware programs. While any program can have a bug, the failure to use digital signatures to authenticate code that's being downloaded and run is really a design flaw. Such a failure implies that the program's authors don't understand the kinds of threats that they are claiming to protect against. (A spokesperson for McAfee says that the vulnerability was confined to a small piece of legacy Virex code and that the problem was patched in February 2006.)
Exploiting the flaw in the McAfee products and other programs is actually a lot easier than you might think. Most of these unsecured update systems simply go to a Web or FTP server, check the time stamp on the most recent file and download the file if it's new enough. The address of the server is usually hard-coded into the program doing the update, although occasionally it is stored in a configuration file. To exploit the flaw, all the attacker needs to do is send the program doing the update to a server that's run by the attacker.
One way to send the program to the wrong website is with a DNS-based attack. Just run your software at a café offering wireless Internet service and wait until some other computer does a DNS query to find the IP address of the update server. Since your program is running at the café, it can answer the DNS query faster than the legitimate DNS server and point the inquiring computer toward the wrong destination. Another exploit would be to run your own wireless access point, wait for some victim to attempt a connection to the update server and respond to the request with your hostile code. In either case, the update that gets downloaded might contain some kind of worm or Trojan horse. When the program is run, the victim's computer will be compromised.
I wonder if antivirus programs scan their own updates for viruses before the updates get installed.
Signing updates with a digital signature doesn't prevent the hostile code from being downloaded, but it does prevent the code from being run. Unfortunately, this is only half the battle. Even if updates are signed, an attacker capable of intercepting DNS requests or diverting Internet traffic can still use an update service to take over an unsuspecting victim's computer.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
