The dark side of auto-updates: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
-
The dark side of auto-updates: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Don't get me wrong, they are *essential* for some software, but the pendulum might have swung too far, adding risk where little risk existed before.
-
The dark side of auto-updates: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Don't get me wrong, they are *essential* for some software, but the pendulum might have swung too far, adding risk where little risk existed before.
In essence, when every niche utility on your computer auto-updates, you're dependent not only on the software being non-malicious at t = 0, but also on every dev and their dog staying safe on the internet for all eternity.
-
In essence, when every niche utility on your computer auto-updates, you're dependent not only on the software being non-malicious at t = 0, but also on every dev and their dog staying safe on the internet for all eternity.
@lcamtuf Yep, and the developer doesn't even need to get hacked, there's a years-long history of bad actors buying control of legitimate mobile apps, browser extensions, wordpress plugins etc and pushing updates with malware
-
The dark side of auto-updates: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Don't get me wrong, they are *essential* for some software, but the pendulum might have swung too far, adding risk where little risk existed before.
@lcamtuf what year is it: https://xcancel.com/_supernothing/status/554743393524645888?s=20
-
@mischif "nonissue" is a big word. If a major intelligence agency wants to pwn you, the odds are against you. It's obviously better if you design your software to offer fewer venues of attack, but even that has its limits - see the xz attack against OpenSSH.
In this instance, they went for the path of least resistance. Without this path, their objectives would still be the same, so they would try something else. Hard to know if they would have succeeded.
-
@mischif "nonissue" is a big word. If a major intelligence agency wants to pwn you, the odds are against you. It's obviously better if you design your software to offer fewer venues of attack, but even that has its limits - see the xz attack against OpenSSH.
In this instance, they went for the path of least resistance. Without this path, their objectives would still be the same, so they would try something else. Hard to know if they would have succeeded.
@lcamtuf I agree that the attackers would have kept looking to exploit some other vulnerability, I'm saying if either the download notification page or the individual update binaries were signed by a key not stored on the server breaching the server wouldn't have provided the attackers any additional exploitation potential (save a watering hole attack/swapping binaries to attack new users) -
R ActivityRelay shared this topic
