To patch or not to patch

Keep­ing the sys­tem up­dated with the lat­est patches is an im­por­tant cy­ber se­cu­rity ad­vice. But have you ever thought what would hap­pen if the up­date ser­vice is com­pro­mised?

InformationWeek - - Technology & Risks - Av­inash Kadam Av­inash Kadam is an In­for­ma­tion Se­cu­rity Trainer, Writer and Con­sul­tant. He can be contacted via e-mail av­inash@awkadam.com

Cy­ber se­cu­rity ad­vice gen­er­ally con­sists of three things — use a strong pass­word, use up-to-date anti-virus soft­ware, and most im­por­tant, al­ways keep your sys­tem up­dated with the lat­est patches. And since there is hardly any soft­ware that does not need patches, it has be­come an ac­cepted and rou­tine task.

But have you ever thought what would hap­pen if the up­date ser­vice is com­pro­mised? Well, this ac­tu­ally happened through a man-in-the-mid­dle at­tack, which de­liv­ered a ma­li­cious ex­e­cutable signed with a ‘rogue, but tech­ni­cally valid Mi­crosoft cer­tifi­cate’ for spread­ing Flame, the spy mal­ware which in­fected com­put­ers in Iran and other coun­tries in the Mid­dle East for at least two years be­fore de­tec­tion. The mal­ware spread im­per­son­at­ing the Mi­crosoft Up­date. The com­put­ers im­plic­itly trusted the cer­tifi­cate that had signed the patch and thus al­lowed it to be down­loaded and in­stalled. Mi­crosoft has now re­voked that par­tic­u­lar cer­tifi­cate, stud­ied the vul­ner­a­bil­ity that al­lowed this to hap­pen, and is­sued a patch. A patch to cor­rect a patch!

An un­re­lated ad­vi­sory (re­pro­duced be­low) from FBI has warned trav­el­ers about mal­ware get­ting in­stalled on lap­tops through soft­ware up­dates on ho­tel In­ter­net con­nec­tions. “Trav­el­ers at­tempt­ing to set up the ho­tel room In­ter­net con­nec­tion are pre­sented with a pop-up win­dow no­ti­fy­ing the users to up­date a widely used soft­ware prod­uct. If any user clicked to ac­cept the up­date, ma­li­cious soft­ware was in­stalled on the lap­top. “

There are a num­ber of at­tack tools that can spoof soft­ware up­date prompts. One of them is the tool­kit Evil­grade, which fa­cil­i­tates at­tack­ers to in­stall ma­li­cious pro­grams by ex­ploit­ing weak­ness in the auto-up­date fea­ture of many pop­u­lar soft­ware ti­tles — and is ca­pable of hi­jack­ing the up­date process of more than 60 pop­u­lar pro­grams. No­table among them are Skype, Vmware, Wi­namp, Java and Vir­tu­al­box. The at­tacker tar­gets pro­grams that don’t im­ple­ment dig­i­tal sig­na­tures on their prod­uct up­dates. This al­lows the at­tacker to im­per­son­ate the source and fool the user in believ­ing that a gen­uine patch is be­ing down­loaded.

If the soft­ware ven­dor has used a cryp­to­graphic key, which has not been com­pro­mised, and if the sig­na­ture ver­i­fi­ca­tion process can­not be by­passed by us­ing a tool like Evil­grade, the up­date process could be trusted. But, as it happened in the case of Flame, the cryp­to­graphic key it­self might be com­pro­mised.

How do you pro­tect your com­puter in such a sce­nario? There is not much you can re­ally do in the worst case sce­nario where the trusted cer­tifi­cate it­self has been com­pro­mised. We can only hope that this does not hap­pen too of­ten. As the news items says, Flame was prob­a­bly cre­ated by a ‘na­tion state ac­tor’ for cy­ber es­pi­onage and in­fected less than 1,000 com­put­ers in a spe­cific ge­o­graphic area. Of course, the fact still re­mains that there was a vul­ner­a­bil­ity, which was ex­ploited by this ‘na­tion state ac­tor,’ but it could also have been ex­ploited by other clever at­tack­ers.

In more plau­si­ble sce­nar­ios of at­tack tools, we can pro­tect our­selves by tak­ing some pre­cau­tions:

Do not use an un­trusted net­work, wired or wire­less, to up­date soft­ware.

Do not re­spond to pop-ups, which mys­te­ri­ously ap­pear on your screen urg­ing you to up­date the pro­grams

Up­date the soft­ware pro­grams only when con­nected to your trusted net­work.

Down­load the soft­ware di­rectly from the ven­dor’s web­site.

If you are us­ing auto-up­date fea­ture, dis­able it when you are trav­el­ling. So far we used to be wary about phish­ing, now we need to be even more wor­ried and care­ful about patch­ing.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.