Man-in-the-Middle Attacks on Auto-Updating Software

Many software applications now come with the ability to perform automatic selfupdates, by downloading executable updates from the Internet and running them. This presents a new security risk since there is no established, secure protocol to perform these updates and it is questionable whether the proprietary schemes used by software vendors have been vetted for vulnerabilities. In this paper, we analyze several software applications that have an auto-update capability. We also present two generic types of man-in-the-middle attacks that can subvert HTTP downloads, which many auto-updating applications use, and show how these attacks can be tailored to exploit specific pieces of software. In addition, we also review some counter-measures, including Microsoft's Authenticode technology.