Hacker News new | past | comments | ask | show | jobs | submit login

No, it isn't, this would've affected all manual, silent/or visible automatic updates.

Users checking for updates or visible automatic update prompts during that timeframe that Opera said was offering the infected update would still get the malware.

People assume that getting automatic update prompts would allow them to stop the update if they heard about an infected update. The problem with that logic is that by the time the companies know about a breach, they would've shut down the automatic update FIRST and then fix the breach, then resume it. Customers would rarely know about that breach in advance, so the prompt wouldn't change anything here.




No, it wouldn't have. Manual updating:

- Spreads the exposure time, creating a much larger window in which updates may be deployed, reducing the number of systems affected, and reducing the likelihood of a targeted attack succeeding.

- Prevents targeted 'midnight' updates in which an attacker can deploy code at-will to target systems during hours that nobody will be around to see them.

- Requires producing reasonable looking update notes, which will likely be noticed by everyone involved in the release process, resulting in an additional warning to those that can detect the issue.

A silent update can go out without anyone knowing that an update was even deployed.


This argument works the same way in reverse. If an exploit is discovered, manual updating spreads the update time, creating a much larger window in which exploits may be deployed, increasing the number of systems affected, and increasing the likelihood of a targeted attach succeeding.


A big difference is that the exploit can't be pushed to every single device in the world that is running the software in question and phoning home for updates.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: