| Name |
Malicious Manual Software Update |
|
| Likelyhood of attack |
Typical severity |
| Low |
High |
|
| Summary |
An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location. These manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user to click a URL. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in their arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface. |
| Prerequisites |
Advanced knowledge about the download and update installation processes. Advanced knowledge about the deployed system and its various software subcomponents and processes. |
| Solutions | Only accept software updates from an official source. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-494 |
Download of Code Without Integrity Check |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-186 |
An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source. |
|