schram.net

The Risk of Programs That Update Automatically

Recently a number of software programs have appeared on the market which automatically update themselves by communicating over the internet with the program's developer.

As an example, the following are some of the auto-updating programs on my computer. (By mentioning them, I'm not trying to imply anything negative about the companies, just that the practice of auto-updating is becoming ubiquitous.)

Benefits

The updates may include "fabulous" new features.

The updates may fix problems that annoy, interfere with operation, or destroy data.

Most importantly, the updates may include security fixes. Leaving those vulnerabilities open would almost certainly result in your system being cracked. In the case of anti-virus software, not updating may result in the failure to detect new viruses which can arrive by email daily.

For most people, the benefits generally outweigh the risks which follow...

General Risks

A new bug introduced by the update could destroy data or open up new security holes. If everyone is updating at the same time, the support problems generated by a bad update could overwhelm the vendor. There is a reasonable argument for delaying updating and letting other people try out the update first (except in the case of serious bugs, or security fixes.) A feature that allowed rolling back the latest update would be nice (and Microsoft has included such a feature called "System Restore" in Windows XP.)

The update program itself may be buggy, or introduce unintended consequences. Tom from Australia writes that his company installed a number of copies of a program. The next day, every copy of that program tried to update itself simultaneously thus causing his network connection to be flooded.

The auto-update feature can be used as a lever by the software vendor to convert the software "one-time sale" model into a "subscription model" which is tapped right into your wallet. We already see this happening with anti-virus software, where it is a natural fit.

There are problems with using auto-update in the corporate environment. Systems administrators have difficulty in maintaining interoperability between systems. Files created with newer versions of programs are often not compatible with previous versions. Most corporate environments would prefer not to have interactive advertising inserted onto the corporate desktop.

Security Risks

The auto-update mechanism provides a new route for the introduction of malicious programs, which can be used to spy on the user. Malicious programs can download files, read the screen, monitor the keyboard, even listen through a microphone if one is connected.

Rather than a bona-fide update, the auto-update feature could be used to send programs with undesired features. The activity of these updaters would not be detected by firewall tools, as they are expected to be periodically checking for updates and downloading them. Further, the most careful reverse-engineering of the updater would not reveal anything unexpected.

A third party could intercept the requests for updates and send a malicious program instead. This can be accomplished with a DNS hack, which would cause update requests to be sent to a different server. It would have to exploit some weakness in the communications protocol used for updating. These update protocols are proprietary, and therefore not open for peer security auditing. (As an example, a third party could trick the program into installing an older update which would appear valid, yet reintroduce a security hole that could be exploited.)

The software company could send any program that they choose. We are to trust that the company would not send anything that we would object to. However, various companies have violated this trust, for example to spy on the browsing habits of the customer for marketing purposes, or to remove controversial features.

(June 2002) Who is in control of your computer? "A recent software update for Microsoft's Windows Media Player requires users to permit the automatic installation of undisclosed future anti-piracy measures." See the New Scientist article.

(November 2002) Who is in control of your XBox? There is an active community of hobbiests who like to modify and improve their XBox gaming consoles. Microsoft issued an automatic update to the console that detects modifications. If modifications are detected, the serial number of that XBox is barred from online gaming... forever. The Register article.

This is a sneak preview of the kind of things we can expect once the Trusted Computing Platform Alliance and Microsoft Palladium ship. Note that it's not *you* that should trust the platform, it's for the benefit of the vendor and content providers.

(April 2002) Microsoft issued an update of their Windows Messenger program via their auto-update. I had never signed up for Messenger, and had disabled it. Previously, though I had signed up for a Passport account which I used only on the Microsoft Developer site. The automatic update notification (that pops up) read, "Microsoft strongly recommends that you download this update, even if you do not use Windows Messenger." After the update, Messenger had been started, set to start every time Windows booted, and signed on with my email address, ready to receive instant messages. On a machine without Passport activated, after installation, Messenger runs, but prompts you to "Add your .NET Passport to Windows XP!... You need a Passport to use Windows XP Internet communications..."

(To disable Windows Messenger, choose: Tools / Options / Preferences / Uncheck "Run this program when Windows starts" and uncheck "Allow this program to run in the background.")

Under a wiretap warrant, the government could compel the software company to send a spy program in the guise of an update. The FBI is known to have developed a program, "Magic Lantern" (Bob Sullivan - MSNBC), which can be installed over the internet on a suspect's computer. As reported by Sullivan, Magic Lantern logs keystrokes to capture the passwords for otherwise unbreakable encryption. Risking discovery, the FBI physically broke into the offices of a suspect and installed the software. Another method that is mentioned is tricking the suspect into installing the program in an email, or utilizing a known security weakness in the suspect's computer. However, these methods would be unreliable and risk tipping off the suspect. The auto-update method, with cooperation of a software company would be 100% effective.

It seems like software companies would be reluctant to cooperate, as it would damage their reputation with foreign government and private industry customers. However, consider the case of Crypto AG, a cryptographic machine manufacturer that added a secret backdoor to their product for decades.

The auto-update vulnerability is a compelling argument for using open-source software which can be audited for security problems before installation. However, as pointed out by Ken Thompson in his classic ACM paper, "You can't trust code that you did not totally create yourself."

Miscellaneous Risks

Programs that download and display advertisements could be used as a point of entry by the company. The advertising program on the PC could be triggered in a pre-arranged way to download an "update" instead of an advertisement.

Email clients could be provided with an intentional backdoor. Unintentional ones abound. Just email the client a secret code, and the client is triggered to download an "update" or install an attached program.

Further Reading

windows1984.com Will the next version of Microsoft Windows give complete control of your computer to Microsoft?

D.I.R.T. - Data Interception by Remote Transmission software offered to law enforcement agencies.

FBI and Pentagon quiz Microsoft on Windows XP security flaw

Auto-Updating and ReplayTV from comp.risks 21.34

 

Questions, comments? Email me (the address in the graphic at the top.)

© 2006 Scott Schram (Disclaimer)