Note: this article originally appeared on EnableSecurity Newsletter #0×0001. To subscribe send an email to newsletter@enablesecurity.com.

Most contemporary software attempts to perform automated updates for  one thing or another. Maybe it’s a patch for the software itself, or simply a list of additional files that are required for day to day operations. Security software such as Antivirus software needs to be  automatically updated if it wants to protect against the latest threats instantly. Although of these updates do not have any sort of precautions for man in the middle attacks, no one seemed to care until the past few months.

It is only the latest DNS cache poisoning flaw that made researchers and security folks tick and start realizing that the upcoming patch might not be what it seems. Then Evilgrade came out. This software is an exploitation framework which allows penetration testers to demonstrate upgrade related flaws in the following software:

• Java plugin
• Winzip
• Winamp
• MacOS
• OpenOffices
• iTunes
• Linkedin Toolbar

Meanwhile security advisories keep coming out identifying new software which is vulnerable to this attack:

• InstallShield Update Agent – Remote “Rule Script” Code Execution Vulnerability
• PartyGaming PartyPoker Malicious Update Vulnerability

I’m sure that this is only the tip of the iceberg and there is more to come.

Automated updates can be a life saver, and certain products cannot do without them (like Antivirus software). However (security) updates in particular should not be introducing this kind of security issue!

If you’re a software vendor you have a responsibility to make sure that your automated updates are signed and verified in a secure manner