Trusted software taken to cleaners
Exploits in legitimate apps such as CCleaner have rocked trust in software vendors
Exploits in legitimate apps such as CCleaner have rocked trust in software vendors. So where does that leave us humble users?
SOFTWARE FIRMS ARE facing a crisis of trust if they can’t protect the delivery mechanisms used to distribute their wares online, say security experts.
The warning comes after a wave of malware infections were passed on to end users by reputable software companies after their distribution systems were compromised.
The latest attack affected security company Avast, which recently bought system scrubber CCleaner – software that has millions of users globally and is a particular threat because it has access to Registry files. Hackers sabotaged CCleaner for at least a month, inserting a backdoor into updates to the application that landed on some two million PCs.
“In the CCleaner case, we have a legitimate bit of software being distributed directly from the vendor, and it seems to have been compromised in a similar way to a recent Ukrainian accounts software update that contained malware,” said Simon Edwards of security software assessment firm SE Labs.
“If the vendor has been breached then, as a consumer, there’s not really much you can do. It’s really down to the vendor to manage its source code and verification.”
The hackers appear to have compromised CCleaner’s update distribution servers or the fail-safe mechanisms that should ensure any code sent out matches what’s been written by its developers.
This new, growing method of malware delivery raises tricky questions about the model for receiving software from trusted companies and what happens if people lose confidence in once trusted software packages. “The harms of this CCleaner hack extend far beyond the two million users who were directly affected,” explained Gennie Gebhart, security researcher at the Electronic Frontier Foundation, in a blog post.
“Supply chain attacks undermine users’ trust in official sources, and take advantage of the security safeguards that users and developers rely on.”
Who to trust?
The latest attacks have left the professionals urgently reviewing advice to consumers. “The basic security [advice] was to always start with a clean system and install from trusted media,” said Edwards. “Don’t used cracked stuff, get a proper copy of Windows and other software, and at least the software you are starting with is clean.
“That’s maybe an old-fashioned idea now. The idea of trusted media is changing.”
Software updates such as the one Avast released for CCleaner are typically signed with the developer’s unspoofable cryptographic key, but clearly something (as yet unknown) went wrong.
The CCleaner attack was the third to use a supply-chain mechanism to