Currently I'm looking into secure automatic updates for a .net program I'm developing. I've asked on stackoverflow for people to review my approach to the update process here. In the process I've come across some interesting articles on automated updates and I thought I'd review how other applications go about it.
Java
- Downloads http://java.sun.com/update/1.6.0/map-1.6.0.xml which has details of various updates:
<java-update-map version="1.0">
<mapping>
<version>1.6.0-rc-b98</version>
<url>http://javadl-esd.sun.com/update/1.6.0/au-descriptor-1.6.0_15-b71.xml</url>
</mapping>
<mapping>
<version>1.6.0</version>
<url>http://javadl-esd.sun.com/update/1.6.0/au-descriptor-1.6.0_15-b71.xml</url>
</mapping>
...
</java-update-map>
- Then downloads the specific file given in the 'url' element (e.g: http://javadl-esd.sun.com/update/1.6.0/au-descriptor-1.6.0_15-b71.xml):
<java-update>
<information version="1.0" xml:lang="en">
<caption>Java Update - Update Available</caption>
<title>Java Update Available</title>
<description>Java 6 Update 15 is ready to install. Click the Install button to update Java now. If you wish to update Java later, click the Later button. To get a FREE copy of OpenOffice.org, the global standard in free, Microsoft compatible office productivity software, just click the More Information link below.</description>
<moreinfo>http://java.com/infourl</moreinfo>
<AlertTitle>Java Update Available</AlertTitle>
<AlertText>A new version of Java is ready to be installed.</AlertText>
<moreinfotxt>More information...</moreinfotxt>
<url>http://javadl-alt.sun.com/u/ESD6/JSCDL/jre/6u15-b71/jre/jre-6u15-windows-i586-iftw.exe</url>
<version>1.6.0_15-b03</version>
<post-status>https://sjremetrics.java.com/b/ss//6</post-status>
<cntry-lookup>http://jal.sun.com/webapps/installstat/CountryLookup</cntry-lookup>
<predownload></predownload>
<options>/installmethod=jau SP1OFF=1 SP2OFF=1 SP3OFF=1 SP5OFF=1 SP6OFF=1 SP7OFF=1 SP8OFF=1 SP10OFF=1 MSDIR=ms4 NEWMSTB=1 SPWEB=http://javadl-esd.sun.com/update/1.6.0/sp-1.6.0_15-b71</options>
<urlinfo>6068ce6c957932593d20059bebab0dfc8b056ac3</urlinfo>
</information>
...
</java-update>
- It does download a file from VeriSign which may be a check for the downloaded binary, e.g. http://ocsp.verisign.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRODEXefhs%2FUZFum2o8YfzOFwceMwQUkz5j3yJ0BOBkhDHd2yOfDq%2B2TZMCEA89qsgV9niZmSI6gIO0S%2FU%3D
Paint.net
- Downloads http://getpaint.net/updates/versions.5.600.x86.en.txt which looks like this:
; 3.xx manifest
DownloadPageUrl=http://www.getpaint.net/download.html
StableVersions=3.36.3158.38068
BetaVersions=3.50.3550.40197
3.36.3158.38068_Name=Paint.NET v3.36
3.36.3158.38068_NetFxVersion=2.0.50727
3.36.3158.38068_InfoUrl=http://www.getpaint.net/roadmap.html#v3_0
3.36.3158.38068_ZipUrlList=http://www.getpaint.net/updates/zip/Paint.NET.3.36.zip
3.36.3158.38068_FullZipUrlList=http://www.getpaint.net/updates/zip/Paint.NET.3.36.zip
3.50.3550.40197_Name=Paint.NET v3.5 Beta 1 (Build 3550)
3.50.3550.40197_NetFxVersion=3.5.1
3.50.3550.40197_InfoUrl=http://paintdotnet.forumer.com/viewtopic.php?f=46&t=31684
3.50.3550.40197_ZipUrlList=http://www.getpaint.net/files/zip/preview/Paint.NET.3.5.Beta.3550.Update.zip,http://www.dotpdn.com/files/Paint.NET.3.5.Beta.3550.Update.zip
3.50.3550.40197_FullZipUrlList=http://www.getpaint.net/files/zip/preview/Paint.NET.3.5.Beta.3550.Install.zip,http://www.dotpdn.com/files/Paint.NET.3.5.Beta.3550.Install.zip
This manifest file and the associated binaries don't appear to be signed in any way. Update: Rick Brewster has commented to say that the downloaded binary is signed and the signature is verified.
Skype
- Checks for updates by querying: http://204.9.163.158/ui/0/4.0.0.227./en/getnewestversion?ver=4.0.0.227&uhash=143c299d62b6baac1f30936f72dd4683f
4.1.0.166
- Downloads the update file: http://163-158.static.quiettouch.com/ui/0/4.0.0.227./en/upgrade
- Unless the downloaded binary's signature is checked this would be vulnerable to a man in the middle attack.
Other
- iTunes posts a big blob of data back to Apple on startup checking for updates - I didn't look into this much.
- Google Chrome also posts back information when checking for updates. My version of Chrome was up to date so I didn't see the update process in action.
- Firefox was already in the process of downloading a new version so I had already missed the file download negotiation.
Summary
It seems like everyone is doing automatic updates differently (no surprises there). It also looks like there is plenty of scope for man in the middle and spoofing attacks if the downloaded binaries aren't signed or don't have their signatures. It doesn't seem like many people are checking their manifest files before downloading binaries which could lead to Safari style "carpet bombing" where malicious binaries are downloaded onto the system.
2 comments:
The Paint.NET installer is signed, and the signature is verified.
Thanks Rick, I've updated the details on Paint.net.
Post a Comment