Slashdot Mirror
Auto-Updates - Proactive or Begging for Abuse?
narzy asks: "To me one of the most important steps to keeping a computer secure is keeping the systems software up to date. The problem I run in to is that more and more of the applications in everyday use are web enabled in some context or another, making them high targets for attack and exploitation. I am beginning to find it difficult to keep clients computers completely up to date. I find that applications that have an auto update such as my anti-virus Nod32 which updates every day on its own a real blessing. It's a feature that is an option but and option that I personally wish was in a lot more software. Windows has this feature (so does Linux if you want it to) however in the case of Windows it's not exactly all that consistent. Unfortunately it opens another can of worms that isn't so enjoyable that being companies who abuse such a system for advertising purposes, modifying the software in such a way to reduce or change its functionality either because of internal decisions or external pressures from 3rd parties, compromise and abuse of the server the company uses to distribute the updates. But is it worth the added risk to know that 95%+ of the time your software is up to date?
It's not a cure all but is it or is it not better then a reactive approach?"
...and keep in mind that shit happens.
I would also suggest, though, that you'll never ever have a secure reliable system. Your computer can always be stolen or struck by lightning. A hard drive can fail. Etc. If you take the approach of "My computer could spotaneously combust" and deal with it that way, then you're in a far better world. Even the worst virus wouldn't cause you to lose your data.
"Derp de derp."
The real concern I think is some guy finding a way to hack one of these. With a 8 hr waiting period...if it then simultaneously reformated everything.
Imagine windows update hacked. I update daily-lets assume 100 million other folks worldwide do. Within 8 hrs 33 million computers are infected...and reformat themselves.
THATS my concern
"Apt-Secure" has a nice sense of "which package sources are trusted". That means, APT maintains a list of places to get packages from. Some of these sources are trusted, and their packages can be cryptographically verified to be truly from those sources.
If there's a new version of a package from an "untrusted" source, it'll ask you if you're sure you want to upgrade that package.
I think it's silly to have package go and upgrade themselves, especially where each package has it's own way to perform the upgrade, and you have to trust each vendor's security implementation (instead of a single central one). A bunch of packages running off and upgrading themselves, each with its own security model (if any) is a great way to open yourself up to a man-in-the-middle attack several times a day. The OS should handle this in a consistent, secure way that the administrator can understand.
peace,
isaac
I've had several more cases of "security" patches breaking my systems through changes to things not related to the security issue than I have of being hacked/infected/spywared.
So I couldn't in good faith recommend auto-update on any system where the supplier has a history of this.
Maybe when the software industry is mature enough to release security patches that *only* contain a security patch I'd think about it. I expect I'll be a long time waiting.
Ok, so some free *nix distros do, and that's nice, but these generally aren't the ones getting infected all over the place.
Plus, as someone else mentioned, having an auto-updater interrupt the one game of UT2004 you've managed to fit in this week is just not on.
I don't understand how certain software suppliers are finding this so hard. Release a patch that fixes the security issue. Only the security issue. Make it small. Make auto-updaters check for updates when the screensaver kicks in. Duh.
- MugginsM
That all very great sounding. But unfortunately sometimes its not that easy to find out exactly what an update does. Take this from Apple's website on a security update:
1 798]
Security Update 2004-05-03 for Mac OS X 10.3.3 "Panther" and Mac OS X 10.3.3 Server AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue.
[http://docs.info.apple.com/article.html?artnum=6
Improved the handling of long passwords huh? Doesn't sound that big of a deal, I dont have a terribly long password. Maybe I'll skip it. Oh what? I just left a buffer overflow remotely explotable bug unpatched! Sometimes its not all that easy to find out exactly what a patch does. And companies try to hard to sound like they have no real issues, sometimes making important updates not sound as important as they really are.
Its easy to see how come everyone thinks Mac OSX is so secure if this is how serious security issues are presented.
Autoupdating as it is used by most apps is just annoying.
Certain things need to be updated frequently, such operating systems and antivirus programs. Programs like quicktime and real don't need to be updated more that a few times a year, at yet they try to have tray icons running all the time.. Generally these autoupdating utilities are used to steal file associations everytime you try to change them back to media player or winamp.
It's one thing for an app to look for updates (after asking you) once you open it, but it is a complete waste of resources for every app to have a tray icon using a few megs of ram to periodically download updates.
local root exploit + remote non-root exploit = remote root exploit
Not always, but often enough to count.