In Depth
The Security of Automatic Updates
Automatic software updates are supposed to make your life easier. But vulnerable updating mechanisms can help your enemies instead.
By Simson Garfinkel
Remember, a signature on an update just means that the update is authentic—it doesn't mean that the update is any good. Even legitimate updates have security vulnerabilities occasionally. Vulnerable updates are usually replaced in short order once the vulnerability is discovered. But if an attacker obtains a copy of a vulnerable update and can feed it to an unsuspecting client, the attacker could then use the vulnerability to exploit the victim.
Another way that an attacker can subvert the update process is to run an update server that always responds, "No updates today!" Clients will then connect, find no update and disconnect—and never know that they have been deceived. A well-placed attacker could prevent an entire organization from installing security updates for a period of time, then attack all the organizations' vulnerable machines.
Connection Check
To detect these attacks, the client needs to authenticate not just the update itself but also the connection to the update server. One way to do this is by having the client connect to the server using SSL; this assures the authenticity of the server's DNS name, assuming that the SSL client's built-in certificate authority certificates haven't been corrupted. A slightly more clever way to authenticate the server is to have it publish a signed message on a daily or hourly basis that reports the date of the most recent update. The advantage of this approach is that the updates don't need to be downloaded with SSL and don't depend upon the public-key infrastructure. Updates could even be mirrored on unsecured, public FTP servers.
Of course, an attacker who controls the Internet connection can simply prevent the client from reaching its update server entirely. But in this case, the client will at least know that something is wrong. It might then notify its human operator or shut down and refuse to operate until it can verify for sure that there are no new updates available.
Secure update mechanisms have largely been ignored both by developers and by computer security establishments, says Fu. The UMass paper evaluated the update systems built into Apple's Mac OS, Microsoft Windows, Adobe Acrobat, Microsoft Office on the Mac, Mozilla Firefox, Fugu, McAfee VirusScan, McAfee Virex and Debian Linux. None of the systems properly authenticated the connection between the update client and the update server at the time that the study was performed, although Windows Update and Mozilla Firefox made some attempt. Fu notes McAfee's claims of having addressed the vulnerabilities, although McAfee did not provide details.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
