How safe are programs that update themselves?

[shmu26]

How safe are programs that update themselves?

There are lots of little programs that don't seem to use HTTPS for communication, and it should be trivial to hack their update repository and seed it with malicious files, which would then be automatically downloaded and installed by countless machines all over the world.

On the other hand, I don't hear of this actually happening in the real world.

Is this a valid concern, and if so, is there anything to do about it?

 

[Ink]

On the other hand, I don't hear of this actually happening in the real world

Fortunately it was patched early. Virus Alert - Ask.com Toolbar Updater Hijacked to Download Malware (Patched)

 

[shmu26]

so should you opt for notify but don't automatically install updates, and then go and download your programs all over again? That's a hassle.

 

[AtlBo]

Using a policy of updating off-line as required has worked for me. Programs change hands unannounced, so it's hard to know when a program has new devs or who has taken over a project when the program is sold. I do wonder what I am missing out on, sometimes, but I just download and install the update in Toolwiz Timemachine to get a look in that case. To be consistent with this policy, I have chosen to block all programs from connecting to the internet.

 

[Cch123]

It is a valid concern, but the attack scenario you described is a little off. If you hack update repositories to seed them with malicious files, whether https or http connections no longer makes a difference, since the malicious files will be downloaded regardless if no integrity checks were in place.

What you are refering to by not using https is the possibility of man in the middle attacks. The attacker must somehow intercept the program's connection with its update servers first before being able to modify/seed malicious files into the unsecure connection. This limits the attack scenario drastically to players like your ISP, or someone within your network. Thus you do not hear of many such cases in the wild.

 

[shmu26]

another way to deal with the problem would be to configure one's default/deny setup in such a way that it will not automatically whitelist program updates. That way, you will get a prompt, and you can then check the digital signature, or send it to Virus Total.

 

[shmu26]

the attack scenario you described is a little off. If you hack update repositories to seed them with malicious files, whether https or http connections no longer makes a difference

right.
really what I want to say is that when a site doesn't bother to use https, it is likely that their security is generally weak, and they could be easy to hack.

 

[RoboMan]

This, plus lots of facts is why i don't let programs auto-update or search for updates. I use a Patcher for updating software daily. A program which auto updates is a software constantly connecting to the web searching for updates. Such a waste.

 

[shmu26]

This, plus lots of facts is why i don't let programs auto-update or search for updates. I use a Patcher for updating software daily. A program which auto updates is a software constantly connecting to the web searching for updates. Such a waste.

if there is malware on the site, ready for download, your Patcher will fetch it for you, too.

 

[RoboMan]

if there is malware on the site, ready for download, your Patcher will fetch it for you, too.

Yeah that wasn't what i meant lol, the patcher was to avoid constantly connetions to the web

 

[shmu26]

Yeah that wasn't what i meant lol, the patcher was to avoid constantly connetions to the web

sorry I misunderstood ya
right, all those apps searching for internet connections make the system kind of busy.

 

[Sundaram999]

Good question! I think that not all of them can be trusted

 

[tim one]

When a criminal finds a security flaw in a web site or web repository, his first goal is to make sure the access to data and resources (escalating access), and an attacker can upload any infected files on this site.

Definitely to have the certainty of complete security of a web site is almost impossible, so it is important to evaluate the security from computer side, then check for malware any app after an update or self update.

 

[Cch123]

right.
really what I want to say is that when a site doesn't bother to use https, it is likely that their security is generally weak, and they could be easy to hack.

You would be suprised at the number of vendors not using https updates Even security companies like Malwarebytes and Comodo update over http, just to name a few. Malwarebytes might have patched this since then, but still...it doesn't mean their system security is weak.

There are certain valid reasons why many vendors are not using SSL connections. Chiefly is the fact that an encrypted connection would incur a performance penalty, meaning slower updates. They might consider other measures in place sufficient to ensure the security of their updates, such as digital signatures. But from what I have seen thus far vendors seem to screw up this part often enough.

A good case study is the Malwarebytes update vulnerability described here: 714 - MalwareBytes: multiple security issues - project-zero - Monorail

 

[uncle bill]

right.
really what I want to say is that when a site doesn't bother to use https, it is likely that their security is generally weak, and they could be easy to hack.

I'm pretty sure what you say is wrong: i still use http on my site because i want the traffic to it to be easily sniffed and checked by everyone, just to make it easier for those who want to inspect it. I use https connection only when i've to work on the site itself. What i want to say is that a wordpress site it's likely to be hacked because of security flaws not because it allows http connection instead of https.

 

[frogboy]

A very good question, it not something i had thought about before but sure am now.

 

[AtlBo]

A good case study is the Malwarebytes update vulnerability described here: 714 - MalwareBytes: multiple security issues - project-zero - Monorail

Thanks for the information. Also, MBAM devs made this a higher than normal priority fix, and, judging from the linked blog announcement concerning the bug, surely there was a renewed vigilance for the updating process of MBAM. Also sounds like it was something of a wake up call in general, which is good, sometimes, even for the best of the best.