Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Time to update updating on PCs for 3rd party apps - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Time to update updating on PCs for 3rd party apps

As Alan Paller wrote in last week's SANS @Risk Newsletter, home PCs contain a lot of software with a lot of vulnerabilities. The recent Shockwave hole is only one example. Yes, there are tools, like Secunia's PSI, that can help in determining which software on a PC needs urgent patching. In my experience though, the average home user is not tech savvy enough to use such tools.

Some software packages try to fix the problem by building an "auto update" feature into their product. Looking more closely into how these update mechanisms work shows that many do not verify or authenticate the updates received. If recent malware like Conficker protects its updates better than application software protects its auto-downloads, something's amiss.

Even assuming that a software package does everything right, there's still the hurdle of the OS to overcome. How do you explain to your mom or uncle or grampa the difference between a "bad" UAC prompt in Windows Vista (eg. when malware wants to sneak in) and a "good" UAC prompt (eg. when Firefox wants to apply its important security update) ?

Basically, a message box telling a user that a program needs updating doesn't work anymore. We've seen just too many pop-ups, too many annyoing requests to install Chrome or Silverlight or - worse - SuperMegaAntivirus2009, and this has left the users largely immune to anything that requests installation. The more glaringly something asks for attention, the higher the chance it will be ignored.

Microsoft has come a long way with Windows Update. Of course we still worry about the PCs of our family members whenever there's a new vulnerability, but once the patch is out, we know we can stop worrying: Windows Update works well enough that on all PCs of friends and family that I was recently pressed into duty to "check out", the Windows patches were actually current.

Now .. how do we get to the same level with all the application programs ?

 

Daniel

367 Posts
ISC Handler
Some of my thoughts on this:

I think this problem dates back to old proprietary software practices. The business model was, and unfortunately still can be, about selling someone a program and never having to contact the customer again, unless it's to sell them an upgrade to the 2010 edition. People had to just live with and get used to the bugs, and security updates didn't really exist. But the Internet has changed all that in two ways. One is that some types of software will have remote vulnerabilities that absolutely must be fixed promptly. But the other is that it's actually possible now to push updates to the customers, even daily. Software really ought to be an ongoing subscription service now including security updates, but it must be a good thing to also be able to put out fixes for other bugs the same day they're reported. Vendors already using this model include Anti-Virus software authors, and their auto-update practices are probably the best around.

Free and open-source software is different though. On the whole, the developers and most users seem of this software tend to be more in favour of frequent updates to gain new features and fixes. But there is usually no financial incentive to having a platform for distributing those updates automatically, and it's something that may be skipped over to cut costs. Larger projects like Debian have been able to do this very well, but smaller apps may need help from someone like SourceForge and maybe open-source package managers.
Steven C.

171 Posts Posts
Here's a nice comment on this issue:

http://www.h-online.com/security/My-wish-list-for-Windows-7-updates-for-everything--/features/113372
gebhard

7 Posts Posts
Mac OS X (and NeXT before it) has a shared code and resource architecture called Frameworks, allowing applications to share complex code, graphics, UI descriptors, etc. for multiple architectures easily. The entire system is based on this (UIKit is a framework, CoreAudio, etc.)

Third-party developers have created a framework called Sparkle, which provides a unified user experience across applications for secure, verified updates with clear descriptions of what has changed between versions. Many applications use it, and it gives a lot of power to the end user; frequency of updates, 'check now', hot-swap installation, background downloads...

http://sparkle.andymatuschak.org/

Back in the day I attempted to create a unified UI based on the look of the old Norton AV UI whereby applications register for central updates using the Registry. I wrote it in Delphi 7. It was a nightmare to try to keep everything secure.

Piggy-backing on the Windows Update infrastructure would be even crazier; I'm not sure an update mechanism centrally controlled by one organization is the "right" answer; Sparkle is free and decentralized using update RSS feeds, placing the onus (correctly) on the software supplier that wants to provide updates. SVs would likely have to pay for the right to use commercial update systems, have updates 'approved', etc., etc. And Windows Update isn't the most efficient system I've run across for updates; the amount of time it takes to detect the difference between your installed components and the available ones is telling.
amcgregor

11 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!