http://msdn.microsoft.com/msdntv/episode.aspx?xml=episodes/en/20040108ClickOnceJC/manifest.xml
http://msdn2.microsoft.com/en-us/library/ms228998.aspx
http://msdn2.microsoft.com/en-us/library/ms228996(en-US,VS.80).aspx
http://msdn2.microsoft.com/en-us/library/76e4d2xw.aspx
This prompt will NOT appear on systems with .NET 2.0 installed.
And one last chance offered to the user. That makes a total of 2 checks to get past in order for any malicious software to be installed. For systems with .NET 2.0 already installed, the screens you will see are slightly different. We wrote a small console application to test the features of ClickOnce.
The From: field advertised in this dialog box can easily be modified in Visual Studio.NET 2005. For example, a malicious attacker could try masquerading his application as a product of some reputable company. A very determined attacker could also buy a certificate from a reputable source, which would make his malicious application look even more genuine.
We programmed our tiny application to attempt to add a key to HKLM\SOFTWARE\Microsoft\CurrentVersion\Run, and it was a success. The application pauses to allow us to check our registry, afterwhich, it removes the entry. Really malicious attackers will probably get more creative than this.
So it appears that although we didn't get ClickOnce to do anything it wasn't supposed to do, the application it installed could contain some malicious code. Perhaps, it would be useful to have any application installed by ClickOnce inherit the same kind of restrictions. Although there are security mechanisms provided in the framework, we suspect a more likely scenario would be that of users falling prey to malicious applications posing as legitimate ClickOnce deployments, in a similar style to various known phishing attacks, fake SSL certificates, and other modern day trickery. The general lack of awareness that is common to all these problems will probably surface again. Users do, get at least one chance to prevent a potentially malicious application from installing. A good imitation of a respectable source might also fool some users, such as this fake one we made.
More safety measures:
Application developers who wish to use ClickOnce can also consider using Authenticode and Code signing as shown in this MSDN article:
http://msdn2.microsoft.com/en-us/library/ms172240.aspx
Again, we wish to reiterate that valid certificates don't always prove that an application publisher has benign intent. A malicious attacker can also purchase certificates from a recognized and reputable vendor.
Conclusion:
The ClickOnce mechanism appears to be well designed, with suitable digital signing features available, and certainly makes deployment of Windows Forms applications a lot easier than before. There are warning signs when the ClickOnce application requests for higher priviledges than it should have. The user however, is still able to choose to accept or to reject the installation of an application, sometimes with little idea of how safe the code is. It appears possible that if ClickOnce becomes popular, and people get too used to seeing the security prompt and just allowing the install anyway, then we might start seeing more malicious payloads being distributed via ClickOnce technology, while masquerading as legitimate or benign applications.
For home users, just remember to distrust applications as you would all other known phishing scams. Distrust emails and their contents, from everyone, especially unsolicited ones from people you do not know well. Do not install applications without first finding out more about what they do, and if anyone has a bad remark about them. There is no need for paranoia but stay on alert for anything that looks suspiscious
A related article we found:
A Security Hole in ClickOnce Deployment.
http://www.rollthunder.com/Newsletter/newslv7n1.htm#Feature%20Article
