Insecure 3rd party software updaters


Gotta love Robert’s sarcasm.. but he’s right.

Comments (3)

  1. Marc says:

    And you should blame Microsoft to not open auto-updates to other products than Microsoft ones.

    Why isn’t Winzip (I do not speak about competing products like OpenOffice) allowed to use a secure and robust update mechanism instead of using a home made one ?

    Responsibility is not an answer; we are used to click on disclaimers when installing stuff, aren’t we. One more disclaimer to accept an update from an "untrusted" (read non MS) source wouldn’t be a problem.

  2. Marc says:

    And you should blame Microsoft to not open auto-updates to other products than Microsoft ones.

    Why isn’t Winzip (I do not speak about competing products like OpenOffice) allowed to use a secure and robust update mechanism instead of using a home made one ?

    Responsibility is not an answer; we are used to click on disclaimers when installing stuff, aren’t we. One more disclaimer to accept an update from an "untrusted" (read non MS) source wouldn’t be a problem.

  3. securology says:

    Hmm.  Robert may be correct, but digital signatures by themselves do not make a secure update mechanism, unless there is a time-bound sensitivity associated with the signatures (and it would have to be a very finite amount of time at that).  Read more <a href="http://securology.blogspot.com/2008/08/package-managers.html">here</a&gt;.

Skip to main content