I was just updating Java when it automatically popped up its little warning a new version was available. As I clicked through a dozen dialog boxes to get the installation going, it occurred to me that I really don’t know that this is a legitimate update. It looks and acts like all the other updates, and it didn’t set off any warnings in my security software… but normally, I’d treat an unsolicited e-mail or pop-up like it’s radioactive until proven otherwise.
Have automated updates - or impersonations of them - been used to install or transmit malware?
Any advice for the security conscious/paranoid computer user?
Not that I have ever gotten burned by a fake update, but I always look at the path when I get an update notification (actually Windows’ notification that a program wants to run).
I’ve had an instance of a hacked/rogue FF add-on, which update all the time. Either it was hijacked or the author turned to the dark side - it inserted fake search results in to Google.
Automated updates are as reliable as the original software was.
if you bought it from a known, reliable software company, it’s probably safe. If it’s a freebie from someone you’ve never heard of … well, be careful.
A couple of points:
Automatic updates (triggered & downloaded by a program already installed on your computer) are probably more safe than an email message claiming to be from a software vendor telling you about an updated version and offering a download link. Because the installed program will link back to the real vendor website; the one in the email might be a malware site (even if it looks like the vendor’s real site).
Automatic updates are safer than running old versions of software. Because vulnerabilities are found so often in software, and bad people are so quick to take advantage of those.
I recently discovered that the latest version of QuickTime Pro needs to be re-purchased even if you’ve already paid for the pro version you’re using now. That kinda sucks because I was under the assumption that I owned a perpetual license. I guess they decided that I don’t.
So the lesson is - you really should read through those EULA boxes after you click yes to install. Luckily I saw the notice about having to re-purchase, and I cancelled the update.
I did once. Shareaza (file sharing and torrent client*) prompted me for an update, so I clicked through it, only to find that I now had some malware-infested piece of shoddy crapware in its place.
Apparently, someone forcibly took control of the software author’s domain and issued their own shitty media retail app as a supposed software update. (link to story)
*I feel the need to clarify that there are completely legitimate and ethical uses for software of this description.
Hmmm… in regards to Microsoft and Java, I’m not sure your first sentence is very comforting.
I have always treated automated updates as safe, and work to make sure that I keep everything updated for the reasons you cite. I just had sudden visions of what a criminal could accomplish if they took over a company’s update servers. I can just see Windows update delivering millions of viruses to users who trust that source and don’t question the updates.
Would anti-malware software pick up on that kind of activity and stop it?
A hacker can take over the server where the updates are located and put in their own software. There have been cases where Linux software repositories have been hacked and some sort of malware or altered version of the software put in. It shouldn’t be hard to catch, though. Most software servers should rely on hashes or certificates that should be checked by the author routinely or the updating software to disallow installation of anything that doesn’t look right. But that doesn’t mean all companies follow good procedures. I’m sure Java is ok, but that screensaver you downloaded from someone’s blog may be a different story.
I agree I’ve never been burned on auto updating, but this is why I only allow it to automatically look for an update and notify me, whether or not to download and install it.
Why don’t they sandbox the hell out of Java? Or is that not enough? The entire original concept was that things would run on the virtual machine rather than your real computer–so the thing is built on the concept of a sandbox. So why not just sandbox it more?
