Insecure 3rd party software updaters

re: Insecure 3rd party software updaters

Marc — Wed, 30 Jul 2008 14:04:37 GMT

And you should blame Microsoft to not open auto-updates to other products than Microsoft ones.

Why isn't Winzip (I do not speak about competing products like OpenOffice) allowed to use a secure and robust update mechanism instead of using a home made one ?

Responsibility is not an answer; we are used to click on disclaimers when installing stuff, aren't we. One more disclaimer to accept an update from an "untrusted" (read non MS) source wouldn't be a problem.

re: Insecure 3rd party software updaters

Marc — Thu, 31 Jul 2008 12:36:36 GMT

And you should blame Microsoft to not open auto-updates to other products than Microsoft ones.

Why isn't Winzip (I do not speak about competing products like OpenOffice) allowed to use a secure and robust update mechanism instead of using a home made one ?

re: Insecure 3rd party software updaters

securology — Sat, 09 Aug 2008 16:46:04 GMT

Hmm. Robert may be correct, but digital signatures by themselves do not make a secure update mechanism, unless there is a time-bound sensitivity associated with the signatures (and it would have to be a very finite amount of time at that). Read more <a href="http://securology.blogspot.com/2008/08/package-managers.html">here</a>.