Researcher: Update and You’re Owned
Hundreds of applications that use software updates are making computers more vulnerable to attack.
Automatic updating, if done right, can help eliminate the threat of known
security vulnerabilities before attackers start exploiting the flaws. Done
wrong, however, the updating process itself becomes an efficient way for
attackers to install their code on the victim’s system.
One security researcher has found that at least a hundred programs use an update
process that puts their users at risk. How? A computer on the same network as
the target machine–think public wireless network–intercepts a message
requesting the most recent software update, replies that there is a more recent
version available, and then provides malicious code that will be installed
through the update process, explains Itzik Kotler, security-operations-center
team leader for security firm Radware.
“Every security guru will tell you that you have to patch, have a
firewall, and have your antivirus updated,” Kotler says. “However, if
[someone] attack[s] the update channel, none of those protections will stop [him]
from putting [harmful] code on the system.”
This story is only available to subscribers.
Don’t settle for half the story.
Get paywall-free access to technology news for the here and now.
Subscribe now
Already a subscriber?
Sign in
You’ve read all your free stories.
MIT Technology Review provides an
intelligent and independent filter for the
flood of information about technology.
Subscribe now
Already a subscriber?
Sign in
The problem is that many programs use a simple Web request to the software
developers’ server, through the hypertext transfer protocol (HTTP), to check
for an update. Without encryption, a malicious attacker on the same network can
see the request and immediately reply to it, far faster–in Internet time–than
a server out on the Web. The attack convinces the software running on the
victim’s machine that the attacker’s computer is the legitimate update server,
Kotler says.
“I came to the conclusion that the majority of the applications–we
have over 100 now–download a file through a simple HTTP request to the vendor
Web site,” he says.
The issue affects some major applications, including popular instant
messaging and document software, according to Kotler, who asked that the names
of the software not be divulged. Among the applications whose update feature
does not have the problem: Microsoft’s Office. Microsoft, which has focused on
locking down its software since it announced the Trustworthy Computing
Initiative in 2002, uses encryption to secure its update requests.
Thinking about the security of the update system is uncommon, Kotler says.
Software developers typically believe that sending an unencrypted request
through the Internet is secure.
“You can’t say that they have neglected anything or done anything
wrong,” he says. “The assumption that the infrastructure is secure is
a very natural one for many people.”
While the attacker needs to be on the same network as the victim for the
initial infection, after that, the malicious program could use the same
technique to infect anyone that checks for updates in the presence of a
compromised machine, Kotler says.
“I can basically create an airborne attack,” he says.
The attack can be blunted by making sure that programs do not update on an
untrusted network. Security-conscious users should also make sure that all
programs notify them when updating.