Disable auto-updaters to avoid exploits

View previous topic View next topic Go down

Disable auto-updaters to avoid exploits

Post by Binky on 26/12/2010, 23:12

See some exploits at http://krebsonsecurity.com/2010/11/evilgrade-gets-an-upgrade/

I recommend disabling the auto-update feature in each application. I have found many applications will enable the feature after a manual update. In other words, they remember my other settings, but enable auto update "for the user's own good". To make sure that they don't auto update, I have a blocking rule in my software firewall for each application that doesn't otherwise need internet access.

When an application updates itself (manually or automatically), users permit sending potentially personal information to the application's home server or third-party servers used to gather data personal information. This allows them to connect your IP address with other personal information so web sites only need a subset of the information to identify you. When I let one of my "trusted" applications check for updates, I have seen in my firewall logs that it contacted Google, Yahoo and Microsoft. I prefer to download full installers for every update. I have a text file with the list of applications that support over-installing updates while preserving settings, which is most of them. For applications where I use the default settings, I always uninstall them before installing the update just to be safe. Another advantage to having full installers on hand is that they are ready in case I need to re-install the application after debugging a conflict with another.

Before I install updates (including Windows Updates), I prefer to backup my whole hard disk. This has saved my butt many times. I take a little time each weekend to check for updates to any application that renders or is involved in internet content. In my browser bookmarks, I have a folder containing links to publisher's sites for each such application. For the label of each bookmark, I put the application name and the current version installed. The links are to pages showing the current version for download. I download all the updates and then perform a backup. That way, I still have the new installers in case I need to revert my hard disk after a seriously failed install. In the comment for the backup, I put the names and the versions of the applications I plan to install after the backup.

For Windows Updates and security software, I like to wait a few days after release before I install to allow for user feedback and bug fixes. For non-Microsoft software, I find the publisher's forum a good place to check. For Microsoft software, browsers and popular media plugins, I look for announcements at http://krebsonsecurity.com/. Sometimes the article will give alternate download links to avoid incompatible built-in download managers. The reader comments will often list serious installation problems.

Binky
Member
Member

Posts : 35
Join date : 2010-11-10

View user profile

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by p2u on 26/12/2010, 23:20

Binky wrote:I recommend disabling the auto-update feature in each application.
I second that. Updates manually only for me. I have auto-updates disabled system-wide.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by ssj100 on 27/12/2010, 00:28

I third that! Been using manual updates for everything for as long as I can remember. In the past, I have also preferred to completely re-install applications, but I'm now happy to "install over" most applications - it's faster and it seems to work well.

However, my main reasons for doing so may differ - it's because I like to have some control and also I often like to first read what other people experience (eg. if someone posts something like "my system got hosed after installing this update", I would probably avoid it for a while!). Again, I don't care if Google, Yahoo etc know which operating system, browser or even which third party security software I use. I would care more if they start stealing my banking passwords AND start stealing my money haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by p2u on 27/12/2010, 15:34

Most of the attack vectors for software updates depend on "man in the middle" - attacks (via DNS spoofing). You can test whether your provider's servers are vulnerable to these attacks: DNS Nameserver Spoofability Test. The test doesn't start right away. First read the info and the warnings and then click the button down the page "Initiate standard DNS Spoofability Test". Keep in mind, that this test may take some time and that it can also crash your router if you have one (there is a list of routers that are known to crash). That's why there are two tests 1) specially designed router crash test and 2) a “fully customizable” user-parameterized test.

Good luck!

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by ssj100 on 27/12/2010, 22:39

I get an "Anti-Spoofing Safety" rating of "Excellent" and my 5 year old router survives the crash test. I'd imagine most people would get results like this.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by p2u on 27/12/2010, 23:13

ssj100 wrote:I get an "Anti-Spoofing Safety" rating of "Excellent" and my 5 year old router survives the crash test. I'd imagine most people would get results like this.
As you can see from Steve Gibson's introductory page, that is not certainly not the case. 12 different types of routers that crash is a lot. My provider solved the problem 2 years ago, immediately after the DNS bug was found, and I get "Excellent" as well (no router). But anyway, it's just a test and I'll keep my updates manual anyway. Wink

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by Scoobs72 on 27/12/2010, 23:55

Here's a thought - when you download an update for an app you're running (e.g. Sandboxie) do you always check the digital signature on the app to make sure it is genuine and you're not the victim of a DNS hijack or MITM attack? My HIPS used to do this by default, but with my current lighter setup this doesn't happen.

Scoobs72
Member
Member

Posts : 28
Join date : 2010-11-05

View user profile

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by ssj100 on 28/12/2010, 00:19

Scoobs72 wrote:Here's a thought - when you download an update for an app you're running (e.g. Sandboxie) do you always check the digital signature on the app to make sure it is genuine and you're not the victim of a DNS hijack or MITM attack? My HIPS used to do this by default, but with my current lighter setup this doesn't happen.
Wouldn't you also need to check the eg. MD5 hash value?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by p2u on 28/12/2010, 00:26

Scoobs72 wrote:Here's a thought - when you download an update for an app you're running (e.g. Sandboxie) do you always check the digital signature on the app to make sure it is genuine and you're not the victim of a DNS hijack or MITM attack? My HIPS used to do this by default, but with my current lighter setup this doesn't happen.
I have a few parameters on the checklist for manual updates:
1) When I download an update, I always know (and check) the ip-address of the server I download it from (I have a crazy memory for useless info). In case of Sandboxie that would be 67.227.172.122. I have the extension ShowIP installed in Firefox for convenience.
2) Because of my agressive content filtering, any other site besides the genuine Sandboxie site would be white with text only
3) When I download an update for any program, I always check the hashes on the site itself and make sure that after the download they are what the site promised me.
4) Signatures (if there are any) may be of additional help, but not all programs I use are necessarily signed.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by Scoobs72 on 28/12/2010, 01:31

ssj100 wrote:
Scoobs72 wrote:Here's a thought - when you download an update for an app you're running (e.g. Sandboxie) do you always check the digital signature on the app to make sure it is genuine and you're not the victim of a DNS hijack or MITM attack? My HIPS used to do this by default, but with my current lighter setup this doesn't happen.
Wouldn't you also need to check the eg. MD5 hash value?

Yes, although I'd only do that if the digital signature was missing or invalid. The tricky thing is remembering to check the signature or hash every time. I wonder if there's a registry hack for ensuring that only signed executables can launch from user space when in your admin account?

Scoobs72
Member
Member

Posts : 28
Join date : 2010-11-05

View user profile

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by p2u on 31/12/2010, 15:37

Scoobs72 wrote:Yes, although I'd only do that if the digital signature was missing or invalid. The tricky thing is remembering to check the signature or hash every time. I wonder if there's a registry hack for ensuring that only signed executables can launch from user space when in your admin account?
A digital signature DOES NOT ENSURE that the code itself can be trusted; only that it comes from the stated source. Signing is a business and signatures can be bought. If you really want to ensure things, then checking the hashes is your best bet.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by wat0114 on 1/1/2011, 03:23

Why not using a 3rd party firewall restrict the program's updating functionality to the specific ip address(es) and port(s) of the vendor's update server(s)? Of course this means using a 3rd party fw or Win7/Vista's inbuilt, not everyone's cup of tea Wink but it should afford a secure update process.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by ssj100 on 1/1/2011, 03:32

wat0114 wrote:Why not using a 3rd party firewall restrict the program's updating functionality to the specific ip address(es) and port(s) of the vendor's update server(s)? Of course this means using a 3rd party fw or Win7/Vista's inbuilt, not everyone's cup of tea Wink but it should afford a secure update process.
I don't think Binky wants that:
Binky wrote:When an application updates itself (manually or automatically), users permit sending potentially personal information to the application's home server or third-party servers used to gather data personal information.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by wat0114 on 1/1/2011, 05:40

ssj100 wrote:
I don't think Binky wants that:

But Binky references an article illustrating the dangers of being sent the wrong update (an exploit instead), so my suggestion should significantly mitigate that danger by ensuring the program obtains its updates from the vendor's site. The firewall restriction will, in fact, work for those who choose to only manually check for a program's updates via the program's update option. I'm not really sure what the privacy concerns are about, either, if the updates are obtained from the developer of the program?? I've not once in many years with this approach encountered or perceived even the slightest breech of my privacy.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by p2u on 1/1/2011, 13:22

wat0114 wrote:Why not using a 3rd party firewall restrict the program's updating functionality to the specific ip address(es) and port(s) of the vendor's update server(s)?
You can also do that in Win7/Vista's in-built firewall with Advanced Security. Besides, MS does everything right with its updates. It always correctly signs its updates as far as I know (one exception only, but I don't remember exactly when and what that was; something with WGA I believe).
P.S.: The number of MS update servers is huge. Besides, MS seems to distribute a lot through akamai servers as well, so you would have to include those in the firewall rules too. The safest option is, of course, to download the updates manually (one by one) from the technet site (if there is such a link, pick the update for "professionals", not "home users").

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by wat0114 on 1/1/2011, 21:28

p2u wrote:
You can also do that in Win7/Vista's in-built firewall with Advanced Security.

That's what I'm doing with Win7 fw, and all other program updates as well. Some MS update server addresses taken from Jetico's configuration, which I transposed to Win7's fw:

Code:
<group name="Microsoft Update IP addresses" comment="">
            <item value="207.46.1.1/255.255.0.0" />
            <item value="65.54.95.1/255.255.255.0" />
            <item value="65.55.1.1/255.255.0.0" />
        </group>

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Disable auto-updaters to avoid exploits

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum