The Security of Automatic Updates

Automatic software updates are supposed to make your life easier. But vulnerable updating mechanisms can help your enemies instead.

. What's this?

By Simson Garfinkel

October 09, 2006CSO

Have you updated your computer's antivirus software today? Have you configured your desktop to automatically download and install its security updates? What about your copies of Microsoft Office, Adobe Acrobat, Mozilla Firefox and even consumer applications like Intuit Quicken? All of these programs now have built-in update capabilities. Are you using them?

Presumably your answer to all of these questions is yes. In these days of online attacks, malicious hackers and aggressive spyware, you need to either aggressively download your updates or else keep your computer isolated from both the Internet and your internal networks. Unpatched computers don't last very long in the wild these days. As a result, virtually all operating systems, applications and even shareware come with the ability to check for new updates—and most of these systems can be configured to automatically download and install the updates without human intervention.

But there is a problem with many updating systems, as a recent paper by three researchers at the University of Massachusetts makes alarmingly clear. Many update systems, it seems, are themselves riddled with security vulnerabilities. In the paper, which was presented this past July at the First Usenix Workshop on Hot Topics in Security, professor Kevin Fu and his graduate students Anthony Bellissimo and John Burgess show that update systems in popular software packages like McAfee VirusScan and Mozilla Firefox can actually be used to take over a computer that's trying to update itself!

The so-called secure update problem is twofold, say the researchers. First and foremost, programs need to have some way of authenticating their updates to establish their legitimacy. But it is also critically important that programs have an authenticated connection to the update server. In the rest of this column I'll discuss why both of these authentications are important, and I'll show what can go wrong with one or both missing. This is an issue that CSOs need to be aware of.

The Code's Source

As the name implies, having an update authenticated means that there is some way for the software doing the update to assure itself that the update is an authentic version from the intended source. Without authentication, a clever attacker can arrange for the program doing the update to download and run an exploit instead. In practice, updates should be authenticated with a digital signature—they should be signed with a private key. The matching public key should be embedded inside the application doing the update. Before the update is run, the application should verify the digital signature. If the signature doesn't verify, the update should be deleted.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER