As well as Visual Studio Code, Vivaldi, etc, etc. This is not exactly a big deal, in fact I vastly prefer it to applications that want you to download a shell script and run it as root (“trust us!”), or even worse, the hostile curlpipe pattern.
I’d honestly much rather have software update itself using the official OS level updating process rather than using some home-grown mechanism. Point is: once something runs on your machine it has the ability to alter your machine as it sees fit.
Sure. Some changes require elevated privileges, but whether it’s Skype asking for sudo to install the update it has downloaded and then abusing its privilege to alter your system in undesired ways or whether it’s Skypes repository containing undesired packages makes no difference.
To the contrary: apt can be configured to ask before installing anything and normally even does so by default.
The only change that could possibly placate the author would be to remove all auto updating capability, but that would be much worse for everybody if there ever was a remotely exploitable vulnerability in Skype because then the attack vector shifts from „Microsoft can compromise your machine“ to „everybody can compromise your machine“ and for many users there is no obvious way or even the understanding to do something about this.
Skype is completely proprietary software. Even without this happening to your apt configurations, it is most llikely harmful.
Although this is an unfortunate pattern, it’s pretty common for Debian packages and more of a Debian community problem than an issue with any particular package. This is also probably one of the least likely ways that someone would exploit Skype to access your system.
If this is a concern, I’d consider not using Debian.
Not really. On the contrary, various packages are provided with sandboxing mechanisms (e.g. systemd units) to protect the rest of the system, while other distributions do that less often.
This seems a bit far-fetched, and would be applicable to almost any third party repo. A real life example of this short attack would have been more interesting.
I think the main point here is that Skype adds a /etc/apt/sources.list.d/skype-stable.list file without explicitly saying this (although I might be wrong and I might have clicked a “get updates” button).
On the other hand, anyone can browse the repo and see what packages are available at any time so the conclusion that Microsoft “can easily inject malicious packages via regular update and replace distro packages w/ their own manipulated ones” does seem a bit far-fetched.
On the other hand, anyone can browse the repo and see what packages are available at any time so the conclusion that Microsoft “can easily inject malicious packages via regular update and replace distro packages w/ their own manipulated ones” does seem a bit far-fetched.
It’s not far-fetched, it’s a fact they can do it. And they could easily avoid getting caught by adding additional date/time, IP address and user-agent header filters to ensure only the target will get the updates via apt-get, for example via automated updates. Anyone else browsing the repo, or the target browsing the repo at another time or using a web browser would not see the replacement packages. To be sure, this requires malicious intent, which one might argue is “far fetched”, but the NSA has been known to pull such shenanigans as a matter of course.
Updates would show up in the apt logs, of course, but once installed, a malicious application could scrub local logs easily, as the post-install scripts run as root. This would be pretty hard to detect, let alone prove.
Google does the same for Chrome last time I used that.
As well as Visual Studio Code, Vivaldi, etc, etc. This is not exactly a big deal, in fact I vastly prefer it to applications that want you to download a shell script and run it as root (“trust us!”), or even worse, the hostile curlpipe pattern.
Fully agree. This pattern is very common. I’m very surprised someone makes a secure advisory with
Level: Criticalfor this.I’d honestly much rather have software update itself using the official OS level updating process rather than using some home-grown mechanism. Point is: once something runs on your machine it has the ability to alter your machine as it sees fit.
Sure. Some changes require elevated privileges, but whether it’s Skype asking for sudo to install the update it has downloaded and then abusing its privilege to alter your system in undesired ways or whether it’s Skypes repository containing undesired packages makes no difference.
To the contrary: apt can be configured to ask before installing anything and normally even does so by default.
The only change that could possibly placate the author would be to remove all auto updating capability, but that would be much worse for everybody if there ever was a remotely exploitable vulnerability in Skype because then the attack vector shifts from „Microsoft can compromise your machine“ to „everybody can compromise your machine“ and for many users there is no obvious way or even the understanding to do something about this.
Well… of course? Am I missing something here?
It’s proprietary software distributed by Microsoft.
Skype is completely proprietary software. Even without this happening to your apt configurations, it is most llikely harmful.
Although this is an unfortunate pattern, it’s pretty common for Debian packages and more of a Debian community problem than an issue with any particular package. This is also probably one of the least likely ways that someone would exploit Skype to access your system.
If this is a concern, I’d consider not using Debian.
Not really. On the contrary, various packages are provided with sandboxing mechanisms (e.g. systemd units) to protect the rest of the system, while other distributions do that less often.
This seems a bit far-fetched, and would be applicable to almost any third party repo. A real life example of this short attack would have been more interesting.
I think the main point here is that Skype adds a
/etc/apt/sources.list.d/skype-stable.listfile without explicitly saying this (although I might be wrong and I might have clicked a “get updates” button).On the other hand, anyone can browse the repo and see what packages are available at any time so the conclusion that Microsoft “can easily inject malicious packages via regular update and replace distro packages w/ their own manipulated ones” does seem a bit far-fetched.
It’s not far-fetched, it’s a fact they can do it. And they could easily avoid getting caught by adding additional date/time, IP address and user-agent header filters to ensure only the target will get the updates via apt-get, for example via automated updates. Anyone else browsing the repo, or the target browsing the repo at another time or using a web browser would not see the replacement packages. To be sure, this requires malicious intent, which one might argue is “far fetched”, but the NSA has been known to pull such shenanigans as a matter of course.
Updates would show up in the apt logs, of course, but once installed, a malicious application could scrub local logs easily, as the post-install scripts run as root. This would be pretty hard to detect, let alone prove.
Any package can add to /etc/apt/sources.list.d, though.
It would be nice if they said they were doing it, but it is possible to check before installing with “apt-file list ”.
This is a really common mechanism for application updates on linux?
No. Security-conscious distributions provide centralized updates and try to prevent “side-channel” downloads.
[Comment removed by author]