For many years, one of my routine daily web visits has been to a software update aggregation service, to check for new updates. My favourite has not been MacUpdate, thankfully, which in the last few days has once again been found to have been inadvertently distributing malware by proxy.
Since I first started visiting update aggregators, the threat landscape has changed considerably. Those who develop and distribute malware now target all online sources of software products, including update sites.
They have hit Apple’s App Store with XcodeGhost, delivering malicious apps to millions of users in east Asia for around six months before its detection. They have hit a succession of individual providers, some repeatedly; the most recent victim was Eltima, for example, whose software delivery and update service must now be one of the most secure. They have also hit update aggregators: this is at least the third time that MacUpdate has generously helped its users to install malware, the last incident involving Eleanor.
There seems no escaping the fact that our sources of new software and updates will continue to be under attack, and that, from time to time, they will deliver us malicious software. So we need strategies to minimise the risk to our Macs.
One solution might be to return to physical media, at least for new purchases. With rapid delivery services from almost any part of the world, this is not such a bad alternative, but major intermediaries like Apple would lose a lot of revenue. Besides, no Macs now ship with optical drives, so finding a way to install cheap distribution media wouldn’t be easy for the great majority of Mac users.
Given that we are going to have to rely on online distribution, the burden of minimising risk is placed on distributors. And given that breaches will continue to occur, one of their most important tasks is responding to such breaches. In this respect, this week’s new malware, OSX.CreativeUpdate, is an excellent lesson in what not to do.
In the case of the three malicious updates known to have been offered by MacUpdate, none was actually hosted on MacUpdate’s servers. All the aggregator did was to provide bogus links, so that users who thought that they were being connected with the vendor’s download were actually hijacked to the malware delivery sites (which were being hosted on Adobe’s servers, hence the name of this malware).
For an aggregator providing off-site links to downloads, this is pretty well the oldest trick in the book. All the malware provider has to do is find somewhere plausible to host their downloads, and convince the aggregator to post the links.
It is salutory to look at what MacUpdate has done since being alerted to the fact that they posted bad links on their site. Over 24 hours later, the only mention of this major security breach on MacUpdate is in the comments to those three specific updates. There have been no warnings on MacUpdate’s front page, or even on the product pages themselves, only in their comments.
For those who pay MacUpdate a suscription for the privilege of receiving free links to download malware, using its MacUpdate Desktop app, they don’t even get to see those comments.
MacUpdate doesn’t appear to have made any attempt to identify which users might have been affected – something which may be impossible given their site design – nor to contact them. At no time did MacUpdate take its servers offline to check whether other updates might have been affected, but has relied on others informing it which appear to be.
Indeed, after recognising the problem with Firefox, the editor responsible denied that any other update was affected, until a user put them right. For all we know, other update links on MacUpdate may well point to malicious sites. MacUpdate has not revealed that it has even checked to find out.
The only comment about what MacUpdate intends to do about any of this has been written by the editor concerned: “It’s unfortunate that this type of hack has come to the Mac platform, but we are now more aware, and promise to be more diligent in protecting all of you in future.”
As an update aggregator, MacUpdate’s business is delivering trustworthy updates to its users. For an unknown period, it unwittingly ensured delivery of malware to an unknown number of its customers. In any other line of business, this would quite rightly result in its rapid collapse and closure.
Update aggregation is a vulnerable trade. In its handling of this breach, MacUpdate has done itself no favours. It has drawn attention to the vulnerability of aggregation services, to its own weakness in handling those, and in its inadequate response to this breach. I expect that this will prove the final nail in the coffin of what was once a valuable service.
Would you ever visit an update aggregator’s website again and click on one of its links?
Since writing this, @tweet2oi has tweeted a counsel of perfection: “It’s very important that users check Developer signature, MD5/SHA checksums (if provided), look in VirusTotal for these checksums, etc.”
I suspect that the great majority of macOS users wouldn’t know how to do any of those, and that hardly any do. Most assume that it’s Gatekeeper’s job to check signatures, and the job of macOS to perform other checks, for example on disk images. I also think that it is a reasonable expectation that users who pay a subscription to an update aggregator and run their software, should have such tasks performed by that software, to ensure that updates delivered through the aggregator are genuine.
Users usually can do more to protect themselves, but they should also be able to put reasonable trust in macOS and update services to exercise due diligence to protect them. If macOS or update services fail to do as much as they can to protect users, then the users should stop using that product.
I thought it only appropriate to show the response of one of MacUpdate’s VPs to Thomas Reed’s report of this breach, on Twitter:
To be fair to Boettcher, in a tweet of 15:08 on 2 February, he reported that “We are in the process of checking that we have caught any and all fraudulent submissions. We have posted in the comments of each suspected app.”
Meanwhile the @MacUpdate Twitter account hasn’t even mentioned the breach, nor its release of malware. I’ll leave it to you to decide whether you think that is adequate response to such a serious incident.
Thanks to @macinteractive for passing on this staggering response to such a major security breach.