08 July, 2008


Have you updated your computer's anti virus software today?Have you configured your desktop to automatically download and install its security updates?

Presumably, your answer is yes. But there is a problem with many updating systems, as a recent paper by three researchers at the university of Massachusetts makes alarmingly clear.

Many update systems, it seems, are themselves riddled with security vulnerabilities. In the paper, professor Kevin Fu shows that update systems in popular software packages like McAfee VirusScan and Mozilla Firefox can actually be used to take over a computer thats trying to update itself!

The so-called secure update problem is twofold, say the researchers. First and foremost, programs need to have some way of authenticating some their updates to establish their legitimacy. But it is also critically important that programs have an authenticated connection to the update server.


An authenticated update means that there is some way for the software doing the update to assure itself that the update is an authentic version from the intended source. Without authentication, a clever attacker can arrange for the program doing the update to download and run the exploit instead.

In practice, updates should be authenticated with a digital signature-they should be signed with a private key. The matching public key should be embedded inside the application doing the update. Before the update is run, the application should verify the digital signature. If the nature doesn't verify, the update should be deleted.

The UMass researchers discovered that many programs don't authenticate their updates. This may not be so surprising-lots of software has security vulnerabilities, after all. But what is surprising is that among products that didn't have digitally signed updates were McAfee VirusScan and McAfee Virex, to antivirus, malware programs.

Exploiting the flaw is actually a lot easier than you might think. Most of these unsecured update systems simply goto a web or FTP server, check the time stamp of the most recent file and download the file if it's new enough.

The address of the server is usually hard-coded into the program doing the update, although occasionally it is stored in a configuration file.

To exploit flaw, all the attacker needs to do is send the program doing the update to a server thats run by the attacker. One way to send the program to the wrong site is by using a DNS-based attack.

Though signing updates with a digital signature doesn't prevent hostile code from being downloaded, but it does prevent the code from being run. Unfortunately, this is only half the battle. Even if updates are signed, an attacker capable of intercepting DNS requests or diverting internet traffic can still use an update service to take over an unsuspecting victims computer.

Another way that an attacker can subvert the update process is to run an update server that always responds "No updates today!" clients will then connect, find no update, and disconnect, and never will they know that they have been deceived. A well placed attacker could prevent an entire organization from installing updates for a period of time, then attack all vulnerable machines