Three years. More than 1200 days. That’s how long transpired between the time that Apple was warned of a critical vulnerability and the time they actually patched it last month. It is the latest in a rising trend of false software updates providing a vector for intrusion and directed attack. Publicized recently in the Wall Street Journal , a database known as the “Surveillance Catalog”  was profiled.

“The documents show dozens of companies making and selling everything from “massive intercept” gear that can gather all Internet communications in a country to “hacking” tools that allow governments to break into people’s computers.”

One of the most fascinating tools described was a series of tools branded as Finfisher. These series of tools purportedly are able to falsify application updates to a variety of well-known and used applications such as Flash, ITunes, and other applications that commonly check for updates.  Once the user installs the false update, the tool begins spying on that user.

[Image credit: Wall Street Journal]

In the case of ITunes, Brian Krebs warned of this vulnerability over 3 years ago 

“To bring this full circle, if you go online using an Internet service provider that remains vulnerable to Kaminsky’s exploit, an attacker could easily gain access to all customers of that ISP and issue them fake update notices.”

So the question naturally here is why it has taken Apple this long to respond to this vulnerability. The FinFisher software was reportedly marketed around the world to government agencies, a fact reinforced by brochure information published in Arabic language.

Krebs describes a familiar and yet disturbing scenario:

“Why is this a big deal? Imagine that you’re at an airport lounge, waiting to board your flight, and you pop open your laptop to see if you can hop on an open wireless network. Bear in mind that there are plenty of tools available that let miscreants create fake wireless access points for the purposes of routing your connection through their computer. You connect to that fake network, thinking you can check your favorite team’s sports scores. A few seconds later, some application on your system says there’s a software update available. You approve the update.
You’re hosed.
Or maybe you don’t approve the update. But that may not matter, because in some cases, auto-update features embedded in certain software titles will go ahead and download the update at that point, and keep nagging you until you agree to install it at a later date.”

Intentional or not, Apple’s lack of proper response to a known and publicized vulnerability has clearly assisted in the propagation of tools designed and even marketed with the intent of spying on users. Was Apple complicit in this?  Are they just guilty of a slow (VERY slow) reaction?  It is all very odd to say the least.  This is just one of a massive scope of possible scenarios where software updates become an intrusion vector for malware.

Just yesterday, Silicon Angle covered the HP printers set on fire story. Not to get lost in the catching on fire aspect (a point officially disputed by HP) the takeaway from a technology standpoint is the vulnerability exploited to get to that point. Applications like Firefox, Google Chrome, and other well-used application eco-systems may become targets as many of those have adopted auto-update features.

It therefore becomes critical and touches back to the infrastructure that people choose to do their computing on. In an untrusted network, anything can happen. Updating software and applications is critical, required, and conforms to best practices and secure computing. However execution of update activities should take place from a secure and trusted network in every case.