Dangers Of Malicious Automatic Updates
The M.E.Doc accounting software uses automatic updates, which made the backdooring of the software so much more dangerous, because it allowed NetPetya to quickly spread to thousands of companies.
Auto-updates are generally considered a security feature, because they remove much of the delay between when a security patch is released of and when it's actually installed by all the people who use that particular software.
We can see how ransomware makers continue to abuse the SMB vulnerability in unpatched Windows systems, despite the fact that Microsoft started issuing a patch for it months ago. When the updates are not automatic, a large portion of the users tend to postpone them for whatever reason. However, once Microsoft announces patches for some bugs, the malware makers also know which bugs to use to spread their malware on unpatched systems.
The problem with auto-update systems arises when software vendors with millions of users, and with a target painted on their backs by hackers, don’t take good care of their servers’ security. When updates are manual, even if the servers are hacked, that delay until everyone patches could be used to the users’ advantage, because during that time, the hack may be discovered. Therefore, many users may never be affected by the backdoored update.
If more of this type of attack continues, people may start losing faith in automatic updates, such as those seen in Chrome and Windows 10. The NSA, which had previously hijacked Windows’ update system to spread the Flame cyber-espionage tool, has also been a proponent of malicious automatic updates as a way to bypass encryption. However, as security experts have warned, if this ever came to pass, even more people would disable auto-updates. That could further put their own security at risk.
There is no easy solution against malicious updates in general, because this “comes with the package” when using a digital service or product. When you use an online service or product you’re always at risk of having your data stolen, which is why choosing companies that prioritize security is always a good idea. As for the avoid automatic malicious updates, the solution could be to disable them, but then you may be exposed to other attacks, so this solution would at least need some serious consideration.