Cryptosmith

One of my personal nightmares is in the automatic software updating mechanism that infests every significant modern software package. It’s a huge vulnerability.

Many vendors ignored the problem because they hadn’t seen a real exploit. In a recent article, Security Fix tells of a researcher in Argentina who has implemented a sample exploit, so vendors are (finally!) paying attention.

In these days of commercialized hacking, it makes sense to armor plate the whole software distribution pipeline. It’s about time people started paying attention.

Francisco Amato of Buenos Aires has constructed a toolkit that generates bogus alerts to upgrade software that’s careless about accepting software updates.  The targets include Java, Open Office, and Winzip. I use the first two, which annoys me no end. And it seems like I’m always getting Java update announcements.

The technology for correcting this weakness is obvious: digital signatures. Microsoft implemented it years ago - I suspect that some customers demanded it. This is one of those special occasions where Microsoft did the right thing early as compared to others.

Apple didn’t bother to correct this vulnerability in their own update process until last winter. Perhaps they realize that some people are finally taking them seriously.

Posted under Information Security |