CAPEC-657: Malicious Automated Software Update via Spoofing
An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker.
Last updated
Overview
CAPEC-657 (Malicious Automated Software Update via Spoofing) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
Consequences
What a successful CAPEC-657 attack can achieve.
Execute Unauthorized Commands
Affects: Access Control, Availability, Confidentiality
Examples
An example of the spoofing strategy would be the eTrust Antivirus Webscan Automated Update Remote Code Execution vulnerability (CVE-2006-3976) and (CVE-2006-3977) whereby an ActiveX control could be remotely manipulated by an attacker controlled web page to download and execute the attackers' code without integrity checking.
Terminology & mappings
Mapped taxonomies
- ATTACK: Software Deployment Tools (1072)
Frequently asked questions
Common questions about CAPEC-657.
- What is CAPEC-657?
- An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker.
- What weaknesses does CAPEC-657 target?
- CAPEC-657 exploits 1 CWE weakness, including CWE-494 (Download of Code Without Integrity Check).
- How severe is CAPEC-657?
- MITRE rates CAPEC-657 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-657
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.