[development] Automatic Updates/Upgades

António P. P. Almeida appa at perusio.net
Thu Sep 1 19:03:10 UTC 2011

On 1 Set 2011 19h40 WEST, john at freelock.com wrote:

> Automatic update of core + potential for malicious code getting
> uploaded to the source repos = very nice recipe for taking over a
> huge amount of the web!
> WordPress and Debian have both had bad stuff uploaded to their
> repositories. It could happen to Drupal too. For that reason alone I
> think auto-updating is a really bad idea -- it makes for a very nice
> target for an attacker!

Add kernel.org to that list also.

> Here's how an attack might play out:
> 1. Attacker plants some keylogger on a core committer's machine,
> captures their credentials.
> 2. Attacker builds an exploit and uploads it to Core, immediately
>    before
> the default update check time for sites set to UTC or some large time zone.
> 3. All sites configured for auto-update download the new exploit.
> 4. Exploit changes the update source to their own malicious repository.
> 5. Millions of exploited web sites are now at the attacker's disposal --
> done right, huge numbers of site admins would never realize their sites
> were compromised.
> This would not be difficult to do -- all you need to do is get the
> credentials for one person with appropriate access. And while it
> would certainly be discovered and caught, it could do some pretty
> widespread damage in a short amount of time, and leave a bunch of
> compromised sites out there available to do far more damage than
> your ordinary Windows bot-net...

There's also the issue that when invoking a hook_update_N() some
schema change might happen so that your site stops working
correctly. What then? To roll back you need a DB dump. Also the update
procedure could fail and you'll have a potentially dysfunctional site
between the auto-update and you detecting the malfunction.

--- appa

More information about the development mailing list