There have been no warnings on MacUpdate’s front page, or even on the product pages themselves, only in their comments.įor those who pay MacUpdate a suscription for the privilege of receiving free links to download malware, using its MacUpdate Desktop app, they don’t even get to see those comments. Over 24 hours later, the only mention of this major security breach on MacUpdate is in the comments to those three specific updates. It is salutory to look at what MacUpdate has done since being alerted to the fact that they posted bad links on their site. All the malware provider has to do is find somewhere plausible to host their downloads, and convince the aggregator to post the links. All the aggregator did was to provide bogus links, so that users who thought that they were being connected with the vendor’s download were actually hijacked to the malware delivery sites (which were being hosted on Adobe’s servers, hence the name of this malware).įor an aggregator providing off-site links to downloads, this is pretty well the oldest trick in the book. In the case of the three malicious updates known to have been offered by MacUpdate, none was actually hosted on MacUpdate’s servers. In this respect, this week’s new malware, OSX.CreativeUpdate, is an excellent lesson in what not to do. And given that breaches will continue to occur, one of their most important tasks is responding to such breaches. Given that we are going to have to rely on online distribution, the burden of minimising risk is placed on distributors. Besides, no Macs now ship with optical drives, so finding a way to install cheap distribution media wouldn’t be easy for the great majority of Mac users. With rapid delivery services from almost any part of the world, this is not such a bad alternative, but major intermediaries like Apple would lose a lot of revenue. One solution might be to return to physical media, at least for new purchases. So we need strategies to minimise the risk to our Macs. There seems no escaping the fact that our sources of new software and updates will continue to be under attack, and that, from time to time, they will deliver us malicious software. They have also hit update aggregators: this is at least the third time that MacUpdate has generously helped its users to install malware, the last incident involving Eleanor. They have hit a succession of individual providers, some repeatedly the most recent victim was Eltima, for example, whose software delivery and update service must now be one of the most secure. They have hit Apple’s App Store with XcodeGhost, delivering malicious apps to millions of users in east Asia for around six months before its detection. Those who develop and distribute malware now target all online sources of software products, including update sites. Since I first started visiting update aggregators, the threat landscape has changed considerably. My favourite has not been MacUpdate, thankfully, which in the last few days has once again been found to have been inadvertently distributing malware by proxy. For many years, one of my routine daily web visits has been to a software update aggregation service, to check for new updates.
0 Comments
Leave a Reply. |