DEFCON 17 Hacking Conference Presentation By Itzik Kotler and Tomer Bitton P.2

  / sec.art   | http://www.security-art.com/ |   / security-art  

Malware Attacks the Software Update Process
How performing a software update can hijack your system.

12/01/2009
by Itzik Kotler

Imagine that you're sitting in an airport, waiting at the gate for your flight to board. There's free Wi-Fi high-speed Internet access in the terminal and you're taking this opportunity to go on with reading your documents and answering e-mails. The laptop is up and running and in minutes you're logged-in to your company's VPN (virtual private network). Meanwhile in the background, your favorite video player application has detected that there is network connectivity and it also takes the opportunity to do its periodic check for a newer version available for download.

Software updates are a great way for software vendors to bring their customers the latest experience of their bug-free, security-patched, and new feature-armed software, but depending on where you execute the update and how much effort the software vendor invested in its update process, it could also be a great way to catch a malware.

In the past, software updates were distributed over floppy disks and CDs. Today, most vendors publish their updates on their Web sites and program their applications to access and download the update either automatically or with user approval.

The risk in a software update via network connection is that an attacker can intercept the requests or updates via "man-in-the-middle" attacks and send malware instead, exploiting the expected check for new updates and download mechanism to introduce a new route for malwares and rootkits. This vulnerability also affects mobile phone and PDA applications that enable updating.

Chronicle of Vulnerability

There are network environments that are more prone to man-in-the-middle attacks than others. For example, unencrypted public Wi-Fi access points (such as in airports and coffee shops) are insecure, enabling an attacker within a few yards to monitor and inject traffic. Other techniques that could be used for subverting a software update are DNS cache poisoning vulnerabilities and the old ARP spoofing attack over Ethernet, to name a few.


There is no standard for software update processes, so every software vendor implements it in his application as he sees fit. A software update is vulnerable if it does not employ a digital signature scheme. That is because without one it's nearly impossible for the application to authenticate or verify the integrity of the update response or download.

The two most common and popular types of implementations of a software update use the HTTP protocol for communication and downloading. However, the HTTP protocol does not provide any digital signature scheme option and so the majority of the software updates are, in fact, vulnerable to this attack.