Strong Security from the Enterprise to the Edge

Security Now Blog: Addressing Today's Information Security Issues

Disable Non-Microsoft/Apple Software Auto Update Features

by Eirik Iverson, Product Management

Software vendor short-cuts in auto-update capabilities enable hackers to invade computers. Auto-update mechanisms fail to authenticate/validate update resources and confirm the integrity of what is downloaded, inviting man-in-the-middle attacks that install malicious software. DefCon 17 presenters showed how disturbingly vulnerable you are.

Hackers Lie to Your Software when it Auto-Updates

The method is simple, conceptually. Attackers lie to the software updating itself. First, when the auto-updating software sends out a query ‘are there updates for me’, the attackers answer ‘yes’. When the attackers are in the middle, btw, the answer is always ‘yes’. Second, when the auto-update mechanism asks ‘are you one of my update servers’, the answer is always ‘yes’ too. And third, is the stuff I just downloaded the software I need?

This third lie deserves a little more explanation. Some update mechanisms employ SSL or HTTPS to reduce risks from the first two lies. However, the vendor must have in place another mechanism in place that cryptographically renders the third ‘lie’ practically impossible. Ideally, all automated software updates would be digitally signed. Note, all of these lies are man-in-the-middle attacks.

When is a Computer Most At-Risk from a Man-in-the-Middle Attack?

The more shared a computer’s access to the Internet is, the greater the risk. So, if a computer in question is the only computer on the private side of a public IP address, no worries. This is not the case on public or insecure Wi-Fi where any computer in radio range can join, which effectively means joining the same LAN. Many cable modem Internet access architectures are ‘shared’ such that a number of neighbors are effectively on the same LAN, or Ethernet domain. Generally, DSL Internet access is limited to a single household or business.

Now this brings up the next risk factor. The one above concerns unknown computers existing on the same LAN. The other major factor regards the known computers. Consider a small business or a home with a half dozen computers on the LAN at any given time. If just one of those computers is malware-infected, it can be used to serve as the man-in-the-middle node for these and other attacks.

Home users should be leary of performing auto-updates when there are other computers on the home network that may already be malware infested. Business users should be the same on business networks. However, if the network administrator(s) is equipped with and knows how to use the right network tools, man-in-the-middle attack risks can be substantially lowered. My rule of thumb, if the business has less than 500 employees with computers total, assume these network countermeasures do not exist. Another business factor concerns how many computers are on each Ethernet domain. Ideally, businesses patch each Ethernet cable to a single switch port so that each computer is somewhat isolated from others.

Note, the above man-in-the-middle attack risk factors are limited to the same LAN as the computer in question. Theoretically, man-in-the-middle attacks can also be conducted at the LAN router, a wire tap to the physical transmission line, a compromise in the ISP, any server in the Internet that relays your packets, and so on. Life demands pragmatism, which prescribes the use of simplifying assumptions. These off-LAN risks are very, very low. And, they also apply to any computer wherever it is connected. Meaning, one should behave the same regarding these off-LAN risks no matter where one’s computer is located.

What Software is Vulnerable to these Man-in-the-Middle Attacks?

Before listing the short list of software products presented by Kotler and Bitton, they indicated that there are many others, and of course, they had not surveyed the entire universe either. Also, I BELIEVE these responsible researchers only listed products that they knew were imminently correcting the man-in-the-middle vulnerabilities. They listed MalwareBytes, Alcohol 120, GOM Player, iMesh, Skype, Hex Workshop, and Adobe PDF Reader.

Another researcher asserted that Mozilla Firefox does not assess the integrity of the downloaded update files. The Firefox 3.5.2 version patches the man-in-the-middle vulnerability from the OCSP “Try Later” mistake. However, I have not confirmed that Firefox 3.5.2 introduced a robust integrity check.

Disable Auto-Update Features in All Software, Except…

Microsoft and Apple digitally sign their updates. Their auto-update crypto-systems are quite robust. Businesses and consumers should disable the auto-update features on ALL of the OTHER software on their computers. Only when an individual product is EXPLICITLY known to NOT be vulnerable should one re-enable auto-update.

When/How Update Software Applications

The software on your computers isn’t smart enough to know if there’s a high or low risk of a man-in-the-middle attack. However, a human being that read the “…Man-in-the-Middle Attack…” section above, can make such a determination. Ideally, businesses have deployed patch management tools and have already disabled auto-updates in individual applications.

Protect Computers with UnPatched Software Running

If one is to disable auto-updates for software, then the security patches that eliminate the programming mistakes that enable attackers to do terrible things are left in place. I hope this bothers you a little. I also hope you realize that hackers can and do learn about some of these programming mistakes before the vendors do or before the vendors create a patch. So, regardless if you heed this advice or not, every computer needs a new form of security software protection in addition to the traditional antivirus and anti-spyware software already on PCs.

Remember, anti-virus/spyware products can only stop KNOWN attacks, which are seldom younger than a month. Attackers use automated tools to crank out new variants in seconds, which ensures that no signatures exist to detect them with anti-virus/spyware. Botnets, for example, alter the signature of their outbound malware every 10 minutes.

AppGuard and EdgeGuard employ a far different and radically more practical approach to protecting computers. Anti-Virus/spyware compares the nearly infinite variety of incoming files and communications to massive signatures list that grows larger with time. Ignoring the other ways AppGuard and EdgeGuard protect computers, AppGuard and EdgeGuard in effect place a software application within a force-field and block all write operations to places they should never touch, such as system resources. This allows the individual software applications to run as they were designed and spares end-users from the guess-work and false positives inherent in alternative technologies. This amounts to simple, effective, low CPU protection. Check out the white paper on AppGuard Technology to learn more.

Related Articles

Disable Mozilla Firefox Auto-Update Until Further Notice

Attackers Using Latest Mozilla Firefox to Silently Hijack Computers

Why Should UnPatched PC Software Concern You?

All Security Depends on Authentication

Posted: Monday, August 10th, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback

One Response to “Disable Non-Microsoft/Apple Software Auto Update Features”

  1. Disable Mozilla Firefox Auto-Update Until Further Notice Says:
    August 10th, 2009 at 7:52 am

    [...] Disable Non-Microsoft/Apple Software Auto Update Features [...]

Leave a Reply