The Update Conundrum – How do you know updates are safe?
First, let me say: Bitsum updates are safe! This article is in reference to a theoretical industry-wide mechanism of exploit, not Bitsum updates!
Next, let’s answer the question: How do you know if updates are safe? Well, they most certainly are for 99.99% of people, so you should absolutely keep your PC and other systems/apps up to date!
The problem is that while we ALL want to apply the latest updates to our OS and applications, as we *should* for proper security if nothing else, there, sadly, is a counter-weight to this argument, and that applies to ALL OSes and applications.
You see, the NSA (as shown in the Snowden leaks), malware authors, or other bad actors who want to take control of a system have noticed that they have an opportunity in the update cycle. In fact, it’s a prime opportunity.
If they can change a DNS query response to indicate that their server is actually the official update server for an app or OS, then they have control of the update cycle.
And, yes, they can do this. Even if SSL is used, it’s widely known that there are so many root CAs supported by most platforms, that a bad actor could literally just create a new SSL certificate and pretend to be that site. In all ways, short of EV (Extended Verification) certificates (the ones with the larger green bars), this would pass any integrity checks. Even then, I don’t think EV SSL certificates would be a problem (can discuss in comments).
Once the bad actor has their server pretending to be the update server, they can sit in the middle and/or clone the entire server, giving you updates THEY would like for you to have. Heck, they can even initiate the update process itself by responding to the OS or application a new version is available. They may even send the ‘right’ update, but include with it an additional payload.
Sound spooky? Well, it is.
Should you disable updates? Absolutely NOT. Generally speaking, this rare attack is something that only criminals, spies, and, high-level ‘players’ need to worry about. That said, I have noticed malware which installs itself as a purported JAVA update for Windows.
Regardless, for Internet exposed systems, you must install security patches, because once those exploits have been made known, the search for unpatched systems immediately ensues, and you normally don’t want to be one of those unpatched systems!
This is one of the issues DNSSEC would greatly mitigate, if not solve entirely. Basically, DNSSEC is a set of DNS extensions to help protect the DNS protocol from such easy surveillance and modification. The current DNS protocol and dissemination infrastructure literally couldn’t be LESS secure, and there-in lies the problem, and potential for a solution. The good news is that you can use DNSSEC today, though you may have to go to some trouble. I’ll leave that to the comments section.