To patch or not to patch
Keeping the system updated with the latest patches is an important cyber security advice. But have you ever thought what would happen if the update service is compromised?
Cyber security advice generally consists of three things — use a strong password, use up-to-date anti-virus software, and most important, always keep your system updated with the latest patches. And since there is hardly any software that does not need patches, it has become an accepted and routine task.
But have you ever thought what would happen if the update service is compromised? Well, this actually happened through a man-in-the-middle attack, which delivered a malicious executable signed with a ‘rogue, but technically valid Microsoft certificate’ for spreading Flame, the spy malware which infected computers in Iran and other countries in the Middle East for at least two years before detection. The malware spread impersonating the Microsoft Update. The computers implicitly trusted the certificate that had signed the patch and thus allowed it to be downloaded and installed. Microsoft has now revoked that particular certificate, studied the vulnerability that allowed this to happen, and issued a patch. A patch to correct a patch!
An unrelated advisory (reproduced below) from FBI has warned travelers about malware getting installed on laptops through software updates on hotel Internet connections. “Travelers attempting to set up the hotel room Internet connection are presented with a pop-up window notifying the users to update a widely used software product. If any user clicked to accept the update, malicious software was installed on the laptop. “
There are a number of attack tools that can spoof software update prompts. One of them is the toolkit Evilgrade, which facilitates attackers to install malicious programs by exploiting weakness in the auto-update feature of many popular software titles — and is capable of hijacking the update process of more than 60 popular programs. Notable among them are Skype, Vmware, Winamp, Java and Virtualbox. The attacker targets programs that don’t implement digital signatures on their product updates. This allows the attacker to impersonate the source and fool the user in believing that a genuine patch is being downloaded.
If the software vendor has used a cryptographic key, which has not been compromised, and if the signature verification process cannot be bypassed by using a tool like Evilgrade, the update process could be trusted. But, as it happened in the case of Flame, the cryptographic key itself might be compromised.
How do you protect your computer in such a scenario? There is not much you can really do in the worst case scenario where the trusted certificate itself has been compromised. We can only hope that this does not happen too often. As the news items says, Flame was probably created by a ‘nation state actor’ for cyber espionage and infected less than 1,000 computers in a specific geographic area. Of course, the fact still remains that there was a vulnerability, which was exploited by this ‘nation state actor,’ but it could also have been exploited by other clever attackers.
In more plausible scenarios of attack tools, we can protect ourselves by taking some precautions:
Do not use an untrusted network, wired or wireless, to update software.
Do not respond to pop-ups, which mysteriously appear on your screen urging you to update the programs
Update the software programs only when connected to your trusted network.
Download the software directly from the vendor’s website.
If you are using auto-update feature, disable it when you are travelling. So far we used to be wary about phishing, now we need to be even more worried and careful about patching.