3

Almost all useful software get updated with time. Operating system updates, I "guess", might be less stringently checked by the normal anti-virus programs, since their sources could be considered to be fairly trustworthy. But what if the updates were in fact virus infected and anyway exceed the capability of the anti-virus programs employed? I ask this question because in a recent news about a variant of Flame a security expert is said to have suspicion of the update system of a popular operating system being infiltrated by certain secret services. Is that an inherently hopeless issue?

Mok-Kong Shen
  • 1,189
  • 1
  • 10
  • 14

2 Answers2

4

Updates are usually digitally signed with the private key of a digital certificate, which can be later verified by the operating system using an embedded public key. If the signature is invalid, the update is not installed.

In the case of Flame, they exploited the fact that Microsoft was using an MD5-based certificate on a particular code signing server. MD5 is vulnerable to collision attacks, which allowed the creators of Flame to create a fake certificate and sign their executables as being created by Microsoft. The certificate has since been revoked, and Microsoft have (supposedly) ensured that all their certificates now use SHA1 or better.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • 1
    Thanks for the explanation. Nonetheless IMHO software users are always "helpless" in the sense that they have to rely on the producers' having done a really good job, i.e. either trust or otherwise try to live without using certain pieces of software. – Mok-Kong Shen Sep 18 '12 at 17:42
  • @Mok-KongShen Unless they have the ability and aptitude to view the source code (usually unavailable, especially for Windows & Mac users) for every piece of software you install or update, and to understand what it all does and how it is going to interact with your OS, hardware, and other installed software (such all-encompassing talent is rare, if at all existing), then yes - software users will always be "helpless" at the hands of the software companies. It's effectively the same as when you turn your car over to a mechanic, or your finances over to an accountant. – Iszi Sep 18 '12 at 17:48
  • The digital signature is the key, though, that (presuming it's not compromised or spoofed, as with Flame) tells you the software did indeed come from the software vendor. That's as much assurance the vendor can ever give you, apart from releasing their code for you to review (which you then must understand). After this point, you must trust that the vendor has good coding practices with your security in mind, and does not have malicious intent. The digital signature does not certify the software is bug/vulnerability/malware-free - it just shows it was indeed published by the vendor it claims. – Iszi Sep 18 '12 at 17:52
4

(TL;DR section is in bold at the end.)

Software updates should be getting checked with real-time Antivirus, just the same as any other program that runs on your PC. Really, I don't expect that any Antivirus vendor would treat them in any special, exclusionary way. But, since the capability is there and it would serve to improve performance, I can't guarantee this for any or all products. In any case, the Antivirus is really your last line of defense against a malicious update - and, perhaps, the weakest.

The reason I say it is perhaps the weakest, is because most Antivirus products are signature-based. If someone has hacked an update system in such a way that their patch will cruise through the other defenses that should be in place, it's likely a new enough threat that the Antivirus vendors will not yet have a signature released. The lag time for new signatures may, if you're fortunate, be only a few hours but it could be a few days. The reason I say it's your last line of defense is because it only comes into action after the update has been downloaded, and/or while the update is attempting to execute. At this point in the process, the update should have passed through at least one or two other defense mechanisms.

Your first line of defense here, as with many other areas of security in general, is vigilance. Be personally aware of what updates are being released for your products, when they will be released, and how you should obtain them through official channels. Don't download updates from third-party websites, or trust third-party information regarding updates, without first verifying it directly on the vendor's website. Ideally, you should be able to leverage HTTPS on these websites to verify the identity of the hosts so that you can be confident your information sources are genuine. If you're getting an update pushed to you that the vendor has not stated you should expect, don't trust it.

Your second line of defense is digital signatures. As @Polynomial mentioned, software updates - especially when done through automated mechanisms - are usually digitally signed by the vendor, and verified by your OS and/or the software updater before being applied. A bad digital signature or an un-signed package should, at the very least, generate a warning dialog for your approval. Alternatively, it may just throw an error and cancel the update entirely. If an auto-updater detects a bad or missing signature, it should not by any means blindly proceed with the update. Yes, it is possible that a CA could get hijacked or a hash collision can result in a spoofed signature like with Flame. However, these attacks are relatively rarely possible and even more rarely viable. And, in the end, the first line of defense stated above should be raising red flags on these attacks before you even try to download the malware.

For software and OS's that do not have a built-in updating mechanism, you should be sure to download the updates only from the vendor's website or a third-party website explicitly defined on the vendor's site. Again, make sure to use and verify HTTPS on these sites where available. Many vendors and/or third-party download providers also have MD5 and/or SHA hashes of the update files on their websites. You can use this to perform a certain degree of validation on the file once you've downloaded it, but make sure to only trust a hash directly from the vendor themselves. Even then, without HTTPS on the vendor's site which provides the hashes, this is more about download integrity than it is file authenticity. Still, it does have some value towards defense-in-depth and it will also give you a nice heads-up in the case you happen to have a corrupted download. If the hash of the downloaded file doesn't match one provided by the vendor, don't run it.

Another defense, though it is very time consuming and not one commonly available to end-users, is personal code review. If the vendor releases their source code, and you have the tools and knowledge to view and understand that code, then you may wish to review it yourself for any obvious weaknesses or malicious activity. However, this requires a great amount of skill and knowledge to do effectively and does require a good deal of time. Additionally, it is very unlikely that you will be able to do this for all of your software and OS components. To do so, you would first have to ensure that you're only using Open Source software, then you must have a full understanding of every language used across all of these components, plus you need to have a solid grasp on secure coding practices and common vulnerabilities for each of these, and then you must have time to do all of this review before you actually install the software or apply the update.

A lot of the above comes down to what appears to be your primary concern and fear, and what you probably don't want to hear: You will, at some point and to some degree, inevitably have to trust the software vendors. Performing a full code review on every piece of software you put on your system is just plain impractical, if at all possible, if you ever want to have any free time to actually use the software - even if you have the skills to effectively perform such evaluations. Antivirus is not at all infallible - even if it were, you'd have to either trust the Antivirus vendor to provide you good updates or review every one of their updates as well. Digital signatures do nothing to actually prove that an update is bug-free, vulnerability-free, or non-malicious - they only prove that the update comes from the vendor it claims to have come from. The same goes for file hash verification which, again, can't even go so far as to verify author authenticity unless the site providing the hash is being run by the vendor over HTTPS.

In the end, for all practical purposes, the vendor's own integrity as well as your personal vigilance are really the only things that can protect you from a malicious software update. There is no single, easy, technical control that can be put in place to avoid this.


In Short:

  • Don't ever trust updates which cannot be verified by an announcement on the vendor's site, or other official channels.
  • Use digital signatures (on files and HTTPS websites) where available, to verify authenticity.
  • When available, verify hashes of downloaded files before running them.
  • If available, and if you have the necessary expertise and time, consider reviewing the source code.
  • Keep your Antivirus up to date, and running in real-time protection mode.
  • In the end, you will have to trust the software vendor to some extent.
Iszi
  • 27,027
  • 18
  • 99
  • 163
  • Thanks for the explanation of the reality. In the 1960's the code of the OS of a 'PC' could be printed out on a number of sheets of papers. Of course that time is entirely bygone. On the other hand cyberwars are now looming, as evidenced by Flame and Gauss. Since such attacks would have the powerful support of governments, the inflitration by secret agencies into commercial software firms IMHO couldn't be excluded. In this sense the privacy of common people is fairly open to risks of arbitrary attacks, though end to end encryption may alleviate the matter a tiny little bit, I would think. – Mok-Kong Shen Sep 18 '12 at 20:31