How safe are programs that update themselves?

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
How safe are programs that update themselves?

There are lots of little programs that don't seem to use HTTPS for communication, and it should be trivial to hack their update repository and seed it with malicious files, which would then be automatically downloaded and installed by countless machines all over the world.

On the other hand, I don't hear of this actually happening in the real world.

Is this a valid concern, and if so, is there anything to do about it?
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Using a policy of updating off-line as required has worked for me. Programs change hands unannounced, so it's hard to know when a program has new devs or who has taken over a project when the program is sold. I do wonder what I am missing out on, sometimes, but I just download and install the update in Toolwiz Timemachine to get a look in that case. To be consistent with this policy, I have chosen to block all programs from connecting to the internet.
 

Cch123

Level 7
Verified
May 6, 2014
335
It is a valid concern, but the attack scenario you described is a little off. If you hack update repositories to seed them with malicious files, whether https or http connections no longer makes a difference, since the malicious files will be downloaded regardless if no integrity checks were in place.

What you are refering to by not using https is the possibility of man in the middle attacks. The attacker must somehow intercept the program's connection with its update servers first before being able to modify/seed malicious files into the unsecure connection. This limits the attack scenario drastically to players like your ISP, or someone within your network. Thus you do not hear of many such cases in the wild.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
another way to deal with the problem would be to configure one's default/deny setup in such a way that it will not automatically whitelist program updates. That way, you will get a prompt, and you can then check the digital signature, or send it to Virus Total.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
the attack scenario you described is a little off. If you hack update repositories to seed them with malicious files, whether https or http connections no longer makes a difference
right.
really what I want to say is that when a site doesn't bother to use https, it is likely that their security is generally weak, and they could be easy to hack.
 

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
This, plus lots of facts is why i don't let programs auto-update or search for updates. I use a Patcher for updating software daily. A program which auto updates is a software constantly connecting to the web searching for updates. Such a waste.
 
  • Like
Reactions: AtlBo

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
This, plus lots of facts is why i don't let programs auto-update or search for updates. I use a Patcher for updating software daily. A program which auto updates is a software constantly connecting to the web searching for updates. Such a waste.
if there is malware on the site, ready for download, your Patcher will fetch it for you, too.
 
  • Like
Reactions: AtlBo and XhenEd

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Yeah that wasn't what i meant lol, the patcher was to avoid constantly connetions to the web
sorry I misunderstood ya
right, all those apps searching for internet connections make the system kind of busy.
 
  • Like
Reactions: AtlBo

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
When a criminal finds a security flaw in a web site or web repository, his first goal is to make sure the access to data and resources (escalating access), and an attacker can upload any infected files on this site.

Definitely to have the certainty of complete security of a web site is almost impossible, so it is important to evaluate the security from computer side, then check for malware any app after an update or self update.
 

Cch123

Level 7
Verified
May 6, 2014
335
right.
really what I want to say is that when a site doesn't bother to use https, it is likely that their security is generally weak, and they could be easy to hack.

You would be suprised at the number of vendors not using https updates :D Even security companies like Malwarebytes and Comodo update over http, just to name a few. Malwarebytes might have patched this since then, but still...it doesn't mean their system security is weak.

There are certain valid reasons why many vendors are not using SSL connections. Chiefly is the fact that an encrypted connection would incur a performance penalty, meaning slower updates. They might consider other measures in place sufficient to ensure the security of their updates, such as digital signatures. But from what I have seen thus far vendors seem to screw up this part often enough.

A good case study is the Malwarebytes update vulnerability described here: 714 - MalwareBytes: multiple security issues - project-zero - Monorail
 
U

uncle bill

right.
really what I want to say is that when a site doesn't bother to use https, it is likely that their security is generally weak, and they could be easy to hack.
I'm pretty sure what you say is wrong: i still use http on my site because i want the traffic to it to be easily sniffed and checked by everyone, just to make it easier for those who want to inspect it. I use https connection only when i've to work on the site itself. What i want to say is that a wordpress site it's likely to be hacked because of security flaws not because it allows http connection instead of https.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
A good case study is the Malwarebytes update vulnerability described here: 714 - MalwareBytes: multiple security issues - project-zero - Monorail

Thanks for the information. Also, MBAM devs made this a higher than normal priority fix, and, judging from the linked blog announcement concerning the bug, surely there was a renewed vigilance for the updating process of MBAM. Also sounds like it was something of a wake up call in general, which is good, sometimes, even for the best of the best.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top