Skip to Content

Researcher: Update and You’re Owned

Hundreds of applications that use software updates are making computers more vulnerable to attack.
July 27, 2009

Automatic updating, if done right, can help eliminate the threat of known security vulnerabilities before attackers start exploiting the flaws. Done wrong, however, the updating process itself becomes an efficient way for attackers to install their code on the victim’s system.

One security researcher has found that at least a hundred programs use an update process that puts their users at risk. How? A computer on the same network as the target machine–think public wireless network–intercepts a message requesting the most recent software update, replies that there is a more recent version available, and then provides malicious code that will be installed through the update process, explains Itzik Kotler, security-operations-center team leader for security firm Radware.

“Every security guru will tell you that you have to patch, have a firewall, and have your antivirus updated,” Kotler says. “However, if [someone] attack[s] the update channel, none of those protections will stop [him] from putting [harmful] code on the system.”

The problem is that many programs use a simple Web request to the software developers’ server, through the hypertext transfer protocol (HTTP), to check for an update. Without encryption, a malicious attacker on the same network can see the request and immediately reply to it, far faster–in Internet time–than a server out on the Web. The attack convinces the software running on the victim’s machine that the attacker’s computer is the legitimate update server, Kotler says.

“I came to the conclusion that the majority of the applications–we have over 100 now–download a file through a simple HTTP request to the vendor Web site,” he says.

The issue affects some major applications, including popular instant messaging and document software, according to Kotler, who asked that the names of the software not be divulged. Among the applications whose update feature does not have the problem: Microsoft’s Office. Microsoft, which has focused on locking down its software since it announced the Trustworthy Computing Initiative in 2002, uses encryption to secure its update requests.

Thinking about the security of the update system is uncommon, Kotler says. Software developers typically believe that sending an unencrypted request through the Internet is secure.

“You can’t say that they have neglected anything or done anything wrong,” he says. “The assumption that the infrastructure is secure is a very natural one for many people.”

While the attacker needs to be on the same network as the victim for the initial infection, after that, the malicious program could use the same technique to infect anyone that checks for updates in the presence of a compromised machine, Kotler says.

“I can basically create an airborne attack,” he says.

The attack can be blunted by making sure that programs do not update on an untrusted network. Security-conscious users should also make sure that all programs notify them when updating.

Keep Reading

Most Popular

conceptual illustration of a heart with an arrow going in on one side and a cursor coming out on the other
conceptual illustration of a heart with an arrow going in on one side and a cursor coming out on the other

Forget dating apps: Here’s how the net’s newest matchmakers help you find love

Fed up with apps, people looking for romance are finding inspiration on Twitter, TikTok—and even email newsletters.

computation concept
computation concept

How AI is reinventing what computers are

Three key ways artificial intelligence is changing what it means to compute.

still from Embodied Intelligence video
still from Embodied Intelligence video

These weird virtual creatures evolve their bodies to solve problems

They show how intelligence and body plans are closely linked—and could unlock AI for robots.

We reviewed three at-home covid tests. The results were mixed.

Over-the-counter coronavirus tests are finally available in the US. Some are more accurate and easier to use than others.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.