No announcement yet.

Auto Updates

  • Filter
  • Time
  • Show
Clear All
new posts

  • Auto Updates

    A few Weeks ago, I installed the "AVG" on my winxp machine.

    Today, when I started the AVG, it automatically downloaded executable files from their website and installed them without asking me. AFTER the upgrade, a message "Application successfully upgraded!" was displayed.

    If i'm not mistaken, it should be easy for an attacker to use (e.g.) dns-poisoning to redirect "auto-update website such as the AVG website" to his own webserver, offer his own version of the the AVG Update with a very high version number, and just wait for the victim to start up the AVG (default option: autostart with windows startup), auto-download and auto-execute whatever he wants to (trojan horses, network sniffers, viruses, etc.). If the functionality of the original AVG was preserved, the victim wouldn't even notice he was under attack.

    What security measures would possibly stop such an attacker?

    Note: Many software vendors offer online upgrades. It just sounds like a bad idea to me to allow this update without asking the user, and without any authentification.

  • #2
    When you install AVG, it asks if you want it to upgrade automatically. Uncheck the box. It didn't do this without your knowledge. You just didn't read every dialog of the install.
    Liberty not only means that the individual has both the opportunity and the burden of choice;
    it also means that he must bear the consequences of his actions.
    Liberty and responsibility are inseparable.

    - Friedrich Hayek


    • #3
      Yes, in theory that's possible - but odds are they wouldn't pick an a/v company with alot less traffic than lets say.... windowsupdate...

      I can think of a few ways to stop it, none of which are really cheap, and would require good coding skills. If I were implementing it, I'd add 2 schema to the software - 1 for this very reason, the other to stop warez from propagating by those who create serial gens or cracks. I'd start with random error bits inserted into the CD creating a unique executable size that will still install, run and update properly. The hashes generated in some fashion by said schema would then relay the pairs to an authenticating server on first net connection - based on the pair, it would decide whether or not allow said download of updates, and if it did, it would then send info back to the box about to receive the update with what exactly to expect, and the format of the file with another hash to verify with error bytes packed in based on the 2 hashes in the database - if the hashes didn't check, it wouldn't install.

      It's more than possible, but not 100% foolproof by any means, however it would take alot more coordination to guess and predict random hashes and the schema used than many will invest.... if the hashes are sent to and from the authenticating server with proprietary or newer schema... IE: ARCS stream... they have no chance whatsoever of pulling it off without having insane computing power...and would be government.

      My 2 cents,


      • #4
        I wonder if anyone has copied the code from windows update dot com and made their own site with a very close spelling, like wondowsupdate dot com. That way a typo may go unnoticed and a trojan can be loaded.