[development] Automatic Updates/Upgades

John Locke john at freelock.com
Thu Sep 1 18:40:35 UTC 2011

Automatic update of core + potential for malicious code getting uploaded
to the source repos = very nice recipe for taking over a huge amount of
the web!

WordPress and Debian have both had bad stuff uploaded to their
repositories. It could happen to Drupal too. For that reason alone I
think auto-updating is a really bad idea -- it makes for a very nice
target for an attacker!

Here's how an attack might play out:

1. Attacker plants some keylogger on a core committer's machine,
captures their credentials.
2. Attacker builds an exploit and uploads it to Core, immediately before
the default update check time for sites set to UTC or some large time zone.
3. All sites configured for auto-update download the new exploit.
4. Exploit changes the update source to their own malicious repository.
5. Millions of exploited web sites are now at the attacker's disposal --
done right, huge numbers of site admins would never realize their sites
were compromised.

This would not be difficult to do -- all you need to do is get the
credentials for one person with appropriate access. And while it would
certainly be discovered and caught, it could do some pretty widespread
damage in a short amount of time, and leave a bunch of compromised sites
out there available to do far more damage than your ordinary Windows

Ugh. No thanks.

John Locke

On 09/01/2011 11:03 AM, Gaelan Bright Steele wrote:
> I see. I got the idea from WordPress, which knows how to automatically update itself.
> On Sep 1, 2011, at 10:46 AM, Todd wrote:
>> If you have drush, you can run `drush pm-update` to automatically update core and contrib.
>> I'm not sure if I'd build in automatic updating of core in Drupal, though, since it's a bit more complex than updating a module and many more things can go wrong.
>> Todd
>> On 1 Sep 2011, at 13:36, Gaelan Bright Steele wrote:
>>> Hi Everybody
>>> Has anyone thought about automatic updates/upgrades to the Drupal core? If not, I would implement it. Excuse me if there is already a conversation going on about this--I am new here.
>>> Gaelan
>  Sincerely, Gaelan
> !DSPAM:4e5fcd1d186229553215262!

John Locke
Manager, Freelock Computing
The Open Source for Business Solutions
john at freelock.com  206-579-4836

More information about the development mailing list