Webinar: Securing Your Auto-Updates | Microsoft & Advanced Installer

Webinar: Securing Your Auto-Updates | Microsoft & Advanced Installer

Introduction to Auto Updates and Their Importance

Overview of the Webinar

  • The webinar was delayed from February due to scheduling conflicts and software releases.
  • Focus on auto updates, emphasizing their significance for user engagement and security improvements.
  • Highlighted the potential revenue impact for software vendors if users are not kept informed about new features.

Understanding Auto Updaters

  • Discussion on what an auto updater is, particularly for those unfamiliar with configuring one.
  • Explanation of how the updater functions as a client-server communication tool that checks for updates.

Configuration Options and Complexity

Update Channels and User Base

  • Users can choose between automatic installations or manual prompts; multiple update channels can be configured.
  • Advanced Installer provides resources for sophisticated configurations, including beta channels and multi-language support.

Supply Chain Security Concerns

Potential Vulnerabilities in Code Management

  • Emphasis on supply chain exposure starting from code management tools like Git, highlighting risks associated with external contributors.
  • Advanced Installer's commitment to internal security measures, ensuring code does not leave company premises.

Hosting Provider Risks

  • Discussed vulnerabilities related to hosting providers where updaters communicate with servers.
  • Mention of integration with GitHub for public applications but caution against relying solely on public repositories.

New Cloud Service Features

Upcoming Services from Advanced Installer

  • Announcement of a new cloud service allowing users to publish updates directly without managing private servers.
  • Preview version expected by the end of the month; emphasis on maintaining security standards during this transition.

Security Measures Against Attacks

Best Practices for Server Management

  • Recommendations include limiting access to hosting machines and rotating keys regularly as standard security practices.

Notepad++ Case Study

  • Overview of the Notepad++ attack where attackers gained server access rather than exploiting source code directly.

Enhancing Update Mechanisms

Digital Signature Practices

  • Importance of digitally signing packages; introduction of automated checks within Advanced Installer’s updater client.

Future Improvements in Signing Processes

  • Plans to enforce matching certificates between updaters and published packages to prevent unauthorized updates.

Additional Security Features

Configuration File Signing

  • Introduction of options to sign configuration files alongside EXE files, enhancing protection against server takeovers.

Conclusion on Security Measures

  • Acknowledgment that while no system is completely secure, implementing these measures significantly increases safety against attacks.

Transitioning to Annie's Segment

Focus on Code Signing Challenges

  • Annie discusses issues surrounding traditional code signing methods that may lead to trust failures over time.

Durable Subscriber EKU Concept

  • Introduction of durable subscriber EKUs which maintain trust across certificate changes, reducing operational overhead.

Recommended Approaches

Establishing Long-Term Trust

  • Combining managed signing experiences with durable identity signals aims at simplifying secure update verifications while minimizing risks associated with malicious injections.

Artifact Signing: Insights and Processes

Transition to Artifact Signing

  • The transition to artifact signing was smooth, with no issues reported during the first release, alleviating initial concerns about potential problems.

Understanding Code Signing Certificates

  • The code signing certificates used are neither Extended Validation (EV) nor Organization Validation (OV); they follow a different model that emphasizes short-lived certificates for enhanced security.
  • These short-lived certificates allow for finer control over security measures, including durability through Enhanced Key Usage (EKU) and timestamping.

Driver Signing Capabilities

  • Currently, driver signing is not supported but is recognized as a significant need by customers and developers; future developments are anticipated in this area.

Certificate Revocation Process

  • The short lifespan of certificates allows for quick revocation if a computer is compromised, minimizing the impact on other users by preventing widespread unsigned packages.

Handling Malicious Artifacts

  • A robust threat intelligence system monitors certificate usage to prevent malicious artifacts from being signed. If an issue arises, immediate action will be taken to protect customers.

Revocation Procedures Explained

  • An extensive validation process ensures that certificate revocations are handled carefully. Account owners can report suspected breaches directly to Microsoft for investigation.
  • Customers have the ability to revoke their own certificates instantly through their account interface without needing prior communication with Microsoft, allowing for immediate response actions.
Video description

In this live webinar, we analyze the Notepad++ supply chain incident and discuss practical strategies to secure your auto-update mechanisms. 🔒 Join *Bogdan Mitrache (VP of Product at Advanced Installer)* and *Annie Yan (Product Manager at Microsoft)* as they explain how developers can protect their applications and users from compromised update channels. ✅ *Webinar Chapters* 𝄂 00:00 - Introduction 𝄂 02:50 - How an auto-updater works? 𝄂 04:43 - Your supply chain 𝄂 09:42 - How was Notepad++ attacked? 𝄂 12:57 - Security Improvements 𝄂 16:05 - New Security Improvements 𝄂 19:59 - Pinning Trust: Durable EKU 𝄂 22:58 - Introducing Artifact Signing 𝄂 27:50 - Q&A Session ▬▬▬▬▬▬ PacKit - New Tool Highlight 🚀 ▬▬▬▬▬▬ Discover PacKit, the essential free tool for all packagers. Efficiently manage, update, and upload your packages. Troubleshoot and deploy directly to Intune or SCCM. Check out PacKit now: https://www.advancedinstaller.com/packit.html ▬▬▬▬▬▬ Ebooks & Resources 📚 ▬▬▬▬▬▬ Check out our "MSIX Packaging Fundamentals" eBook, written by our today's webinar hosts, Tim Mangan and Bogdan Mitrache: https://www.advancedinstaller.com/hub/msix-packaging.html MSI Packaging Free Ebook: https://www.advancedinstaller.com/hub/msi-packaging.html ▬▬▬▬▬▬ MSI Packaging Training & Certification📚 ▬▬▬▬▬▬ New from Advanced Installer: MSI Packaging Training and Certification - the first free training and certification program in application packaging industry. Get trained and certified for free: https://www.advancedinstaller.com/hub/msi-packaging-academy.html Developed by our subject matter expert, Alex Marin, a professional with over 10 years of experience in application packaging and training of application packaging teams, this program focuses on the practical side of the MSI application packaging. The program resources you get are: ‣ 196 pages of must know theoretical concepts ‣ 27 practical demos most commonly encountered in practice ‣ Free professional certification based on passing a 51-question exam. ▬▬▬▬▬▬ Follow us on✨ ▬▬▬▬▬▬ ✔ T W I T T E R ‣ https://twitter.com/advinst ✔ F A C E B O O K ‣ https://www.facebook.com/AdvancedInstaller ✔ L I N K E D I N ‣ https://ro.linkedin.com/company/advancedinstaller ✨Advanced Installer is an all-in-one Application Packaging Tool for Software Developers and IT Professionals. Designed for building MSI, MSIX AppX, and App-V packages, deploying applications updates, repackaging, and MSI/MST editing. ▬▬▬▬▬▬ For more information 🚀 ▬▬▬▬▬▬ ‣ Learn more: https://www.advancedinstaller.com ‣ Try it out: https://www.advancedinstaller.com/download.html ‣ User Guide: https://www.advancedinstaller.com/user-guide/introduction.html ‣ Contact us: https://www.advancedinstaller.com/contact.html ✨We hope you enjoyed this video! Thank you for watching! #webinar #microsoft #security #auto #updates #notepad #attack #advancedinstaller