Friday, July 6, 2007

Can ClickOnce become a security hazard?

ClickOnce is a latest deployment technology that comes with Microsoft Visual Studio.NET 2005. With ClickOnce, deploying Windows Forms solutions becomes almost as easy as Web based solutions. In a certain way, it represents a sort of hybrid between ActiveX and the standard .EXE files. We picked up a free beta disk from HITB and asked ourselves the immediate question of whether ClickOnce could pose some sort of security risk. These are our findings.

As ClickOnce is a new release with Visual Studio.NET 2005, we were all very excited to try out this new deployment mechanism, which could mean the return to favour of Windows Forms applications. There are some obvious advantages programming in Windows Forms, one of the most distinct being how much easier it is to work with the standard datagrid and Crystal Reports. We were also concerned about whether ClickOnce could be abused like certain ActiveX controls.

For detailed explanations on ClickOnce technology, here are some very useful links.



We will not be repeating any material from these excellent sources, other than to say that ClickOnce allows easy web or network based deployment of Windows Forms applications. It also enables these applications to automatically check for updates and update themselves when necessary. Such features used to cost money and programming effort. Now, they come free with Visual Studio.

In this article, we used the default behaviour of ClickOnce.

One of the most obvious attacks would be a variation of a phishing attack. For example, an email that reads like this:


Dear user, this is a critical update for your system. It addresses [some dummy issue]. Please install the update immediately:

[Malicious, disguised link here]

The link above, in true phishing style, could lead users to some malicious website, where a malicious ClickOnce application is waiting for them. Anyone with a copy of Visual Studio.NET could create something potentially dangerous.

ClickOnce, to its credit, does offer some form of protection, and will ask for permissions to install. This is what you may see on a system that doesn not have .NET Framework 2.0 installed.


And subsequently, the relevant files are downloaded and executed. The user does have a chance to stop the execution of these files.


This prompt will NOT appear on systems with .NET 2.0 installed.

And one last chance offered to the user. That makes a total of 2 checks to get past in order for any malicious software to be installed. For systems with .NET 2.0 already installed, the screens you will see are slightly different. We wrote a small console application to test the features of ClickOnce.

The From: field advertised in this dialog box can easily be modified in Visual Studio.NET 2005. For example, a malicious attacker could try masquerading his application as a product of some reputable company. A very determined attacker could also buy a certificate from a reputable source, which would make his malicious application look even more genuine.

We programmed our tiny application to attempt to add a key to HKLM\SOFTWARE\Microsoft\CurrentVersion\Run, and it was a success. The application pauses to allow us to check our registry, afterwhich, it removes the entry. Really malicious attackers will probably get more creative than this.


So it appears that although we didn't get ClickOnce to do anything it wasn't supposed to do, the application it installed could contain some malicious code. Perhaps, it would be useful to have any application installed by ClickOnce inherit the same kind of restrictions. Although there are security mechanisms provided in the framework, we suspect a more likely scenario would be that of users falling prey to malicious applications posing as legitimate ClickOnce deployments, in a similar style to various known phishing attacks, fake SSL certificates, and other modern day trickery. The general lack of awareness that is common to all these problems will probably surface again. Users do, get at least one chance to prevent a potentially malicious application from installing. A good imitation of a respectable source might also fool some users, such as this fake one we made.


More safety measures:

Application developers who wish to use ClickOnce can also consider using Authenticode and Code signing as shown in this MSDN article:

http://msdn2.microsoft.com/en-us/library/ms172240.aspx

Again, we wish to reiterate that valid certificates don't always prove that an application publisher has benign intent. A malicious attacker can also purchase certificates from a recognized and reputable vendor.

Conclusion:

The ClickOnce mechanism appears to be well designed, with suitable digital signing features available, and certainly makes deployment of Windows Forms applications a lot easier than before. There are warning signs when the ClickOnce application requests for higher priviledges than it should have. The user however, is still able to choose to accept or to reject the installation of an application, sometimes with little idea of how safe the code is. It appears possible that if ClickOnce becomes popular, and people get too used to seeing the security prompt and just allowing the install anyway, then we might start seeing more malicious payloads being distributed via ClickOnce technology, while masquerading as legitimate or benign applications.

For home users, just remember to distrust applications as you would all other known phishing scams. Distrust emails and their contents, from everyone, especially unsolicited ones from people you do not know well. Do not install applications without first finding out more about what they do, and if anyone has a bad remark about them. There is no need for paranoia but stay on alert for anything that looks suspiscious

A related article we found:

A Security Hole in ClickOnce Deployment.
http://www.rollthunder.com/Newsletter/newslv7n1.htm#Feature%20Article

Posted by at
Labels: , , ,

1 comment:

Anonymous said...

Hello. This post is likeable, and your blog is very interesting, congratulations :-). I will add in my blogroll =). If possible gives a last there on my blog, it is about the TV de Plasma, I hope you enjoy. The address is http://tv-de-plasma.blogspot.com. A hug.

April 3, 2008 at 1:55 AM

Post a Comment

Subscribe to: Post Comments (Atom)