Thursday, February 25, 2010

Secure automatic updates

Over the last month or so, I've update the Flash player on several of my workstations several times.  Each time I do this, there's one little detail that gets my goat: the executable file that actually does the updating isn't digitally signed.  Here's how the Flash updates sequence plays out:

  1. The Flash update warning appears automatically when I log in.  I try to distrust everything that happens; how do I know this is really a Flash update? But I figure, let's see where this goes.
  2. I get a UAC flash.  I know that some people don't like UAC, but I love it.  I want to know when an application starts messing with my system settings.
  3. The UAC warning is telling me that there's an app call "flashupdate2.exe" that's trying to change my system settings.
  4. Here's the problem: flashupdate2.exe isn't digitally signed.  That means there's no way to verify what it really is and where it came from.
At this point I have a choice: either don't update my Flash player, leaving me vulnerable to known attacks, or bet that the application that says it's a Flash updater really is a Flash updater and not a malware trojan.

Oh, that's right.  There is a 3rd alternative: uninstall Flash until Adobe decides to exercise some common sense and sign their application updates for the benefit of everyone's security.

No comments: