Wednesday, September 30, 2009

Secure Updates?

Currently I'm looking into secure automatic updates for a .net program I'm developing. I've asked on stackoverflow for people to review my approach to the update process here. In the process I've come across some interesting articles on automated updates and I thought I'd review how other applications go about it.


<java-update-map version="1.0">




<information version="1.0" xml:lang="en">
<caption>Java Update - Update Available</caption>
<title>Java Update Available</title>
<description>Java 6 Update 15 is ready to install. Click the Install button to update Java now. If you wish to update Java later, click the Later button. To get a FREE copy of, the global standard in free, Microsoft compatible office productivity software, just click the More Information link below.</description>
<AlertTitle>Java Update Available</AlertTitle>
<AlertText>A new version of Java is ready to be installed.</AlertText>
<moreinfotxt>More information...</moreinfotxt>
<options>/installmethod=jau SP1OFF=1 SP2OFF=1 SP3OFF=1 SP5OFF=1 SP6OFF=1 SP7OFF=1 SP8OFF=1 SP10OFF=1 MSDIR=ms4 NEWMSTB=1 SPWEB=</options>



; 3.xx manifest



3.36.3158.38068_Name=Paint.NET v3.36

3.50.3550.40197_Name=Paint.NET v3.5 Beta 1 (Build 3550)

  • This manifest file and the associated binaries don't appear to be signed in any way. Update: Rick Brewster has commented to say that the downloaded binary is signed and the signature is verified.



  • iTunes posts a big blob of data back to Apple on startup checking for updates - I didn't look into this much.
  • Google Chrome also posts back information when checking for updates. My version of Chrome was up to date so I didn't see the update process in action.
  • Firefox was already in the process of downloading a new version so I had already missed the file download negotiation.


It seems like everyone is doing automatic updates differently (no surprises there). It also looks like there is plenty of scope for man in the middle and spoofing attacks if the downloaded binaries aren't signed or don't have their signatures. It doesn't seem like many people are checking their manifest files before downloading binaries which could lead to Safari style "carpet bombing" where malicious binaries are downloaded onto the system.


Rick Brewster said...

The Paint.NET installer is signed, and the signature is verified.

Luke Quinane said...

Thanks Rick, I've updated the details on