Researchers have discovered a supply chain risk in a popular installer authoring tool, which they've described as potentially leading to cyberattacks "comparable in scope to supply chain incidents like SolarWinds." Its developers, however, say it's working as intended.
The tool, Advanced Installer, is used for building application installers. After developing their software, vendors turn to it to bundle all the many files, dependencies, drivers, configurations, and so on that allow their software to install smoothly on customers' systems.
According to its website, Advanced Installer is used by developers and system administrators in more than 60 countries "to package or repackage everything from small shareware products, internal applications, and device drivers, to massive mission-critical systems." It counts a variety of brand-name, international software vendors among its customers, like Microsoft, Apple, Dell, Motorola, Sony, McAfee, Adobe, and more.
In a new report, cybersecurity provider Cyderes revealed what it has deemed a "bring your own update" (BYOU) risk in Advanced Installer. Simply put, attackers can manipulate it to infect vendors' software updates, then sit back and watch as the malware spreads to all of the downstream customers.
Related:AI Developed Code: 5 Critical Security Checkpoints for Human Oversight
"It’s not a five-alarm crisis yet, as we are not aware of an active campaign targeting this weakness," says Brian Hussey, senior vice president of Cyderes' Howler Cell. But he emphasizes that "vendors should act now to review their update signing practices before this threat assessment increases."
No Digital Signature Requirement for Advanced Installer
One of Advanced Installer's popular features is its update tool, which empowers software programs to automatically check for and install updates as they become available.
As part of the process, to find and retrieve remotely hosted update configuration files, the update tool accepts a -url parameter. But who's to say that the URL must host a legitimate update config?
Imagine that hackers pull off the very commonplace feat of breaching a software developer, who in this case uses Advanced Installer. The hacker can then craft a file that looks like a software update, but secretly points to a URL with their malware. To propagate their malware to all of the developer's customers, all they'd have to do is run a single command on the infected system, which tells the update tool to check for and retrieve their malicious file from their server.
... continue reading