Malicious Updates - CompTIA Security+ SY0-701 - 2.3

00:01

You often hear myself and many other security professionals

00:05

tell you to always keep your operating systems up to date,

00:08

make sure all of your applications have been patched,

00:11

and any time a new set of updates comes through,

00:13

you should make sure that you patch your system

00:15

as soon as possible.

00:16

This will make sure that you're able to avoid

00:19

any type of vulnerabilities or security problems associated

00:22

with this older code.

00:24

But of course, when you're installing an application

00:26

to a device, there's always a concern

00:28

that the application itself might have malicious software

00:31

inside of it.

00:32

And the same thing applies to these updates.

00:35

We're effectively installing a new application

00:38

each time we install these updates,

00:39

and it may be possible for an attacker

00:42

to find some way to get their malicious code embedded

00:45

within the update itself.

00:47

And although we're telling you to update your system as

00:49

quickly as possible when you find one of these security

00:52

patches, there are a number of best practices

00:55

that are associated with this update process.

00:58

First, before you make any changes to any system,

01:01

you should have a backup.

01:02

This ensures that if something does go wrong during the update

01:05

process, you can revert back to the previous configuration,

01:09

and you'll be back up and running again.

01:10

You should also make sure that the sources that you're using

01:14

for this update are trusted.

01:16

This means the software that you're

01:17

using during this update is coming from a source

01:19

that you commonly would use or one that is commonly associated

01:23

with this update process.

01:25

And it's always worth mentioning again

01:27

that your backup can solve a lot of problems for you

01:30

if something does go wrong during the update process.

01:34

Here's an example of a message that you might commonly

01:36

see when an application needs to be updated.

01:38

This is for the Chrome browser, and it says, "You

01:41

are using an older version.

01:42

Update now to keep your Chrome browser running

01:44

smoothly and securely.

01:46

Your download will begin automatically.

01:48

If not, click here" where it says Update Chrome.

01:50

If this is a message that appears when you first

01:53

start your browser before you visited any other websites,

01:56

then there is a reasonable amount of trust

01:58

you can associate with this update message.

02:01

But what if this is a message that

02:02

appears once you visit one of the links that's

02:04

provided from a Google search?

02:06

There might be a question as to whether this particular update

02:10

is legitimate.

02:11

And it may be something you want to perform

02:13

a bit of extra checks before clicking that Update Chrome

02:16

button.

02:17

We're very often installing these updates

02:19

from a file that has been downloaded

02:21

from a third-party website.

02:23

So we need to look at where we're

02:25

downloading this file from.

02:26

And we need to understand more about what might happen

02:29

if we perform this update.

02:30

We should make sure that the source

02:32

is one that is indeed trusted, that we're

02:34

going to a site that commonly hosts these types of patches.

02:38

If we're getting some random pop-up message

02:40

during our normal web-browsing session that tells us

02:43

that we need to click here to update,

02:45

this might not be a legitimate update message.

02:48

And if you want to have a relatively high amount of trust

02:51

regarding this particular patch, you

02:53

should download the update directly

02:55

from the application developer site.

02:57

And many operating systems will only

02:59

install applications if they've been digitally signed.

03:02

That means that we'll get a message during the update

03:04

process that tells us that this application is from Microsoft,

03:09

or Adobe, or Google, and we can see the digital signature

03:12

associated with that update.

03:14

Because the digital signature is put there by the application

03:17

developer and our operating system validates

03:20

that digital signature, we can have a high level of trust

03:23

that this particular update is legitimate.

03:26

Sometimes, an application will have its own update process

03:29

built into the app itself.

03:31

This usually does have security checks and digital signatures

03:34

built into this process.

03:36

And although you might not see the digital signature,

03:38

the update process of the application

03:40

is automatically performing that verification.

03:43

This process has a high amount of trust

03:45

because it's the application itself

03:48

that is performing the update.

03:49

You don't have to download any files yourself.

03:52

And the update is being verified as coming from the manufacturer

03:56

of the software.

03:57

However, this process is not a 100% guarantee

04:01

that the code that you're updating is indeed legitimate.

04:05

In December of 2020, the company SolarWinds

04:07

reported that their application Orion was performing updates

04:12

for users, but the update itself contained malicious software.

04:16

These updates followed the internal update process

04:19

for the Orion application.

04:20

The update itself was digitally signed by the company.

04:23

And to anyone who's ever performed an update,

04:26

this looked like a normal update from a legitimate application

04:29

developer.

04:30

Unfortunately, months earlier, attackers

04:33

had gained access to the development system

04:35

in SolarWinds itself and put their own code

04:39

into the SolarWinds software.

04:41

Their malicious code was rolled up

04:43

into the normal updates that were

04:45

provided by other application developers within the company.

04:48

And the entire package was digitally signed

04:51

and automatically distributed to their users.

04:53

This Orion software is high-end management software,

04:57

and some of the largest organizations in the world

05:00

were running this software.

05:02

This allowed attackers to gain access

05:04

to hundreds of large governmental agencies

05:07

and companies, and it allowed them to effectively

05:09

have full rein to the entire system that was

05:13

running this Orion software.

05:14

And from there, they were able to jump from the Orion system

05:17

to other unsecured systems within those organizations.

05:21

This type of attack is relatively rare,

05:24

but it does show that an attacker could use a trusted

05:27

process to be able to automatically distribute

05:29

their malicious code to hundreds or thousands of systems

05:33

automatically.