On 1 Set 2011 19h40 WEST, john@freelock.com wrote:
Automatic update of core + potential for malicious code getting uploaded to the source repos = very nice recipe for taking over a huge amount of the web!
WordPress and Debian have both had bad stuff uploaded to their repositories. It could happen to Drupal too. For that reason alone I think auto-updating is a really bad idea -- it makes for a very nice target for an attacker!
Add kernel.org to that list also.
Here's how an attack might play out:
1. Attacker plants some keylogger on a core committer's machine, captures their credentials. 2. Attacker builds an exploit and uploads it to Core, immediately before the default update check time for sites set to UTC or some large time zone. 3. All sites configured for auto-update download the new exploit. 4. Exploit changes the update source to their own malicious repository. 5. Millions of exploited web sites are now at the attacker's disposal -- done right, huge numbers of site admins would never realize their sites were compromised.
This would not be difficult to do -- all you need to do is get the credentials for one person with appropriate access. And while it would certainly be discovered and caught, it could do some pretty widespread damage in a short amount of time, and leave a bunch of compromised sites out there available to do far more damage than your ordinary Windows bot-net...
There's also the issue that when invoking a hook_update_N() some schema change might happen so that your site stops working correctly. What then? To roll back you need a DB dump. Also the update procedure could fail and you'll have a potentially dysfunctional site between the auto-update and you detecting the malfunction. --- appa