Partager via

Insecure 3rd party software updaters

  • Article

Gotta love Robert's sarcasm.. but he's right.

Comments

  • Anonymous
    July 29, 2008
    And you should blame Microsoft to not open auto-updates to other products than Microsoft ones. Why isn't Winzip (I do not speak about competing products like OpenOffice) allowed to use a secure and robust update mechanism instead of using a home made one ? Responsibility is not an answer; we are used to click on disclaimers when installing stuff, aren't we. One more disclaimer to accept an update from an "untrusted" (read non MS) source wouldn't be a problem.

  • Anonymous
    July 30, 2008
    And you should blame Microsoft to not open auto-updates to other products than Microsoft ones. Why isn't Winzip (I do not speak about competing products like OpenOffice) allowed to use a secure and robust update mechanism instead of using a home made one ? Responsibility is not an answer; we are used to click on disclaimers when installing stuff, aren't we. One more disclaimer to accept an update from an "untrusted" (read non MS) source wouldn't be a problem.

  • Anonymous
    August 09, 2008
    Hmm.  Robert may be correct, but digital signatures by themselves do not make a secure update mechanism, unless there is a time-bound sensitivity associated with the signatures (and it would have to be a very finite amount of time at that).  Read more <a href="http://securology.blogspot.com/2008/08/package-managers.html">here</a>.