Updating your software is a good thing, right? Not necessarily, according to one security researcher.
Radware‘s Itzik Kotler presented new research over the weekend at the Defcon conference detailing weaknesses in the update mechanism for hundreds of applications.
The update weaknesses could enable an attacker to hijack the update process and deliver infected updates to unsuspecting users.
According to Kotler, who demonstrated a tool he developed to demonstrate the flaw’s danger, the research aims not to make it easier for attackers but to raise awareness about how developers should secure their update mechanisms. Typically, updates rely on Hypertext Transfer Protocol (HTTP), the same protocol at the heart of the Web. But Kotler pointed to the fact that HTTP connections can be diverted.
“Most people use HTTP because it’s easy to implement, but HTTP fundamentally has a problem, which is you can’t verify the integrity of the connection,” Kotler told InternetNews.com. “When you make a connection to a particular Web site, you trust your [Domain Name Server] to give you the right IP. This is the fundamental flaw we’ve used to hijack the update, basically returning a different response and diverting the update to our server.”
Kotler explained that the update attack he demonstrated is a man-in-the-middle (MiTM) attack that intercepts an update connection.
He added that almost every application in use today has some kind of updating feature and many are just using standard HTTP to connect. He also said he was surprised by the fact that most of the applications he investigated don’t have any further connection integrity or security, aside from attempting to connect to a specific hostname.
“With most of the download boxes that will pop up for updates, most users will click ‘Yes,'” Kotler said. “It’s natural for users to understand that the update procedure involves downloading and executing a file, so … most users will just simply click ‘Ignore’ [on a warning from their antivirus software] or accept the update.”
Kotler added that his research found over 100 popular applications, ranging from movie players to CD burning tools, that did not implement secure update mechanisms that could potentially be hijacked. He also said that it’s unclear which types of applications were most vulnerable.
“We’ve seen big vendors and small vendors,” he said. “It’s all a matter of how they perceive security in their products.”
The solution
While many companies are not doing updates securely, there are some vendors that are. Properly using Secure Socket Layer (SSL) is one potentially way to limit the risk of update infections, Kotler said.
“We have seen some applications adopting SSL, but since the update process is often a background task where the user is not aware of the certification [i.e., whether a connection to a host is certified as legitimate,] there are some cases where the SSL is make-believe,” Kotler said. “But giving a proper SSL implementation that checks certification could be a nice solution.”
Another fix is the one used by Microsoft, which verifies each download. It’s one of several strategies undertaken by the software giant to combat the issue, at one point offering a CD with updates instead of online updates to better protect users.
“Microsoft has been directly attacked in many different ways, and they couldn’t afford to do updates without proper security,” Kotler said. “In addition, Microsoft Update, which we found not to be vulnerable, is using an SSL signature mechanism, which means they store a public key and verify each download against a signed master MD5 hash.”
Kotler is planning on publicly releasing his tool for others to be able to check out the integrity of their update mechanisms. The tool will be released under the open source GPLv3 license and is set to be available on Google Code.
Kotler explained that the first release of the application is just to show researchers what to look for and it will not list the 100-plus application updates that Kotler has already found to be vulnerable.
“We’re only trying to make a point — we’re not trying to throw attackers the keys so they can go hack and slash computers,” Kotler said. “Our motivation is about showing trends and what’s possible. We just want to educate the market and raise awareness of issue.”