Webinar: Securing Your Auto-Updates | Microsoft & Advanced Installer
Introduction to Auto Updates and Their Importance
Overview of the Webinar
- The webinar was delayed from February due to scheduling conflicts and software releases.
- Focus on auto updates, emphasizing their significance for user engagement and security improvements.
- Highlighted the potential revenue impact for software vendors if users are not kept informed about new features.
Understanding Auto Updaters
- Discussion on what an auto updater is, particularly for those unfamiliar with configuring one.
- Explanation of how the updater functions as a client-server communication tool that checks for updates.
Configuration Options and Complexity
Update Channels and User Base
- Users can choose between automatic installations or manual prompts; multiple update channels can be configured.
- Advanced Installer provides resources for sophisticated configurations, including beta channels and multi-language support.
Supply Chain Security Concerns
Potential Vulnerabilities in Code Management
- Emphasis on supply chain exposure starting from code management tools like Git, highlighting risks associated with external contributors.
- Advanced Installer's commitment to internal security measures, ensuring code does not leave company premises.
Hosting Provider Risks
- Discussed vulnerabilities related to hosting providers where updaters communicate with servers.
- Mention of integration with GitHub for public applications but caution against relying solely on public repositories.
New Cloud Service Features
Upcoming Services from Advanced Installer
- Announcement of a new cloud service allowing users to publish updates directly without managing private servers.
- Preview version expected by the end of the month; emphasis on maintaining security standards during this transition.
Security Measures Against Attacks
Best Practices for Server Management
- Recommendations include limiting access to hosting machines and rotating keys regularly as standard security practices.
Notepad++ Case Study
- Overview of the Notepad++ attack where attackers gained server access rather than exploiting source code directly.
Enhancing Update Mechanisms
Digital Signature Practices
- Importance of digitally signing packages; introduction of automated checks within Advanced Installer’s updater client.
Future Improvements in Signing Processes
- Plans to enforce matching certificates between updaters and published packages to prevent unauthorized updates.
Additional Security Features
Configuration File Signing
- Introduction of options to sign configuration files alongside EXE files, enhancing protection against server takeovers.
Conclusion on Security Measures
- Acknowledgment that while no system is completely secure, implementing these measures significantly increases safety against attacks.
Transitioning to Annie's Segment
Focus on Code Signing Challenges
- Annie discusses issues surrounding traditional code signing methods that may lead to trust failures over time.
Durable Subscriber EKU Concept
- Introduction of durable subscriber EKUs which maintain trust across certificate changes, reducing operational overhead.
Recommended Approaches
Establishing Long-Term Trust
- Combining managed signing experiences with durable identity signals aims at simplifying secure update verifications while minimizing risks associated with malicious injections.
Artifact Signing: Insights and Processes
Transition to Artifact Signing
- The transition to artifact signing was smooth, with no issues reported during the first release, alleviating initial concerns about potential problems.
Understanding Code Signing Certificates
- The code signing certificates used are neither Extended Validation (EV) nor Organization Validation (OV); they follow a different model that emphasizes short-lived certificates for enhanced security.
- These short-lived certificates allow for finer control over security measures, including durability through Enhanced Key Usage (EKU) and timestamping.
Driver Signing Capabilities
- Currently, driver signing is not supported but is recognized as a significant need by customers and developers; future developments are anticipated in this area.
Certificate Revocation Process
- The short lifespan of certificates allows for quick revocation if a computer is compromised, minimizing the impact on other users by preventing widespread unsigned packages.
Handling Malicious Artifacts
- A robust threat intelligence system monitors certificate usage to prevent malicious artifacts from being signed. If an issue arises, immediate action will be taken to protect customers.
Revocation Procedures Explained
- An extensive validation process ensures that certificate revocations are handled carefully. Account owners can report suspected breaches directly to Microsoft for investigation.
- Customers have the ability to revoke their own certificates instantly through their account interface without needing prior communication with Microsoft, allowing for immediate response actions.