Automatic updates would seem to be an excellent way to keep your operating system updated. Unfortunately, several intrusion techniques can take advantage of this configuration.
One such intrusion technique is called ARP cache poisoning. This technique exploits the open architecture of the address resolution protocol (ARP) to make your computer believe that a named computer is at a modified IP address. If your updated software uses a named computer and the IP address of that computer has been changed to another address, you can receive updates from a malicious source.
Another intrusion technique is to take control of any machine routed between your computer and the server providing the updates. By setting the inline machine’s network interface card into promiscuous mode, malicious software can look at every network data packet passing by. This allows the malicious machine to either simulate the server, if the channel is encrypted, or simply modify the returning packets if the channel is not encrypted. Either way, the update will not be what you expected.
To prevent automatic update vulnerabilities, you can perform manual updates at regular intervals. If you enter the address of the update site into your Internet browser and the site appears normal, there is a high likelihood that clicking the Update Now button will in fact perform the expected operation. Remember that passing your cursor over an Internet link should cause the address of the link to be displayed in the status bar of the browser. If the link does not display an expected address, you may wish to investigate, or tighten security, before clicking it.
Because automatic updates are usually encrypted and signed, there is a very low probability of tampering. Because browsers are prone to navigation and file transfer vulnerabilities, there is a much higher probability of tampering. As such, switching from automatic updates to manual updates is only viable when manual intervention is accompanied by the ability to recognize tampering.