On blindly trusting Software Vendors (and discussing CCleaner’s hacking)

By now, any software enthusiast is aware that CCleaner and CCleaner Cloud (Piriform) has been a victim of hackers. These hackers have injected malicious code in the release versions of such software and ended up on (roughly) 2 million end user machines.

For those who are not familiar with CCleaner, it allows the user to remove unwanted files, browser caches, registry keys cleanup and such. This means that it basically has access to all your system files and data on your drives. It’s a free software (with premium subscription available) and it’s installed on millions of machine all over the world.

Given the fact that this software has permission to modify system files on your machine by default, one can only imagine what a compromised installation is able to do on your machine.

From a consumer point of view, there is no way that we could have known that the software was compromised. I mean, even if they provided hashes to verify that the downloaded software is indeed the version they intended to, this would have NOT prevented anything! Why? It’s because the breach has occurred internally! In the sense that someone went into their private code repository, changed some code in their CRT and went unnoticed. How this has been done; that’s a story for another day (Piriform has not how this happened).

Anyway, the guys from Piriform has publicly acknowledged this, without being a coward or trying to cover anything up. They have also taken any measures necessary to assure that the threat is now over and issued updates to such software. This does not change the fact they’ll be losing trust from their loyal customers.

This of course left me a bit skeptical, sometimes I download applications from third party vendors, without thinking twice (and trusting them by default). This has definitely been a wake-up call to all of us, in the sense that you can never fully trust third party vendors. Can a similar thing happen in the future? Maybe. Is it avoidable some how? Well no, (or at least, maybe!)

Let’s talk about something a bit different now: Windows Apps (Universal Windows Platform Apps)!

One might ask: how is this relevant! Oh, but they are very relevant. You see, the execution of these apps works a bit different than your traditional desktop applications. These applications run in a Sandbox i.e they do not have direct access to your system. You can read more about Sandbox applications here. My point is that these apps are far safer; in case these applications get compromised, their damage is significantly reduced due to the nature of how they execute.

These applications have disadvantages of course; given that they are sandboxed, there are simply actions that they cannot do. For example, I simply cannot imagine CCleaner living as a UWP, given the fact that one of it’s capabilities is making changes to the registry. That definitely requires a “full trust” application in order to do so!

Let’s just hope that Piriform (and similar software vendors) get their act up and avoid such fiascos in the future!