Jie Wan, Pengcheng Xia, and Haoyu Wang, Huazhong University of Science and Technology
Desktop software has become an essential component of modern computing, and software updates are the primary mechanism to patch vulnerabilities and deliver security fixes. However, the update process itself introduces new attack surfaces, particularly when validation of update data is incomplete or improperly enforced. Nevertheless, these risks in desktop updates are less studied because most update clients are closed-source and complex. We present UpdSight, a black-box framework that tests update security by simulating MitM attacks in realistic settings. UpdSight operates by emulating man-in-the-middle scenarios, intercepting traffic during the update process, and automatically validating the presence of critical weaknesses. By combining traffic interception, payload integrity inspection, and behavior monitoring, UpdSight provides a comprehensive assessment of update trust models across diverse software categories. We adopted UpdSight to 85 widely-used desktop applications. The results show 22 exploitable vulnerabilities, including downgrade, manifest manipulation, installer hijack, and path traversal. Among these, 16 have been confirmed by vendors. In addition, 5 CVE identifiers were assigned, covering vulnerabilities in 8 software products. Our findings highlight recurring design flaws, such as unsigned manifests and weak rollback checks, which allow attackers to gain code execution through the update channel.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
