For every Operating System or software package that has an automatic update feature, security professionals are recommending you to enable the feature.

Yesterday we published an advisory stating that "InstallShield / Macrovision / Acresso FLEXnet Connect insecurely retrieves and executes scripts" (ESB-2008.0883). The advisory, ESB-2008.0883, impacts any software package that uses the InstallShield Update service to update itself. This made me remember that a tool was released a while back designed to exploit various software packages that utilise an update service.

This unnamed tool is able to exploit automatic updates for the following:

• Java plugin
• Winzip
• Winamp
• MacOS
• OpenOffice
• iTunes
• Linkedin Toolbar
• DAP [Download Accelerator]
• Notepad++

What about Microsoft Update aka Windows Update? It is not vulnerable to an attack from this or similar tools. The key difference between MU and the examples above are that Microsoft uses digital certificates to sign all packages and the downloader will verify every package has the correct signature and has not been tampered with. Therefore, even if an attacker injects arbitrary code into the stream for the user to download, the computer will not run it as it couldn't be signed by the Microsoft digital certificate.

Since the applications listed above are not signing their packages with a digital certificate, it would be best to download the updates via an SSL connection over HTTP.