On 1 Set 2011 19h40 WEST, [email protected] wrote: > Automatic update of core + potential for malicious code getting > uploaded to the source repos = very nice recipe for taking over a > huge amount of the web! > > WordPress and Debian have both had bad stuff uploaded to their > repositories. It could happen to Drupal too. For that reason alone I > think auto-updating is a really bad idea -- it makes for a very nice > target for an attacker!
Add kernel.org to that list also. > Here's how an attack might play out: > > 1. Attacker plants some keylogger on a core committer's machine, > captures their credentials. > 2. Attacker builds an exploit and uploads it to Core, immediately > before > the default update check time for sites set to UTC or some large time zone. > 3. All sites configured for auto-update download the new exploit. > 4. Exploit changes the update source to their own malicious repository. > 5. Millions of exploited web sites are now at the attacker's disposal -- > done right, huge numbers of site admins would never realize their sites > were compromised. > > This would not be difficult to do -- all you need to do is get the > credentials for one person with appropriate access. And while it > would certainly be discovered and caught, it could do some pretty > widespread damage in a short amount of time, and leave a bunch of > compromised sites out there available to do far more damage than > your ordinary Windows bot-net... There's also the issue that when invoking a hook_update_N() some schema change might happen so that your site stops working correctly. What then? To roll back you need a DB dump. Also the update procedure could fail and you'll have a potentially dysfunctional site between the auto-update and you detecting the malfunction. --- appa
