The CCleaner Supply Chain Attack

Third Party Software Header Image

This week Avast disclosed exactly how its CCleaner software was compromised in September last year. Avast found that the attackers logged into a TeamViewer remote desktop account on a Piriform developers computer (Piriform being the company that created CCleaner that was acquired by Avast shortly before the disclosure).

With access to the remote desktop account the attackers gained access to other computers eventually installing a piece of malware called ShadowPad, part of which contains a key logger. With the information gleaned from this the attackers were able to work their way into Piriform’s development systems and eventually give themselves the ability to manipulate the downloadable CCleaner file.

A more extensive explanation is contained within the Wired article I’ve linked to, but the reason I’ve blogged is because I think this highlights the risks with third-party software. Working within technical support on a daily basis I see multiple people come to me with varying types of third party software installed and most people install a large number of third party software without question. For sometime though I have tried to refrain myself from installing third party software.

Shortly after the iPhone’s release when Apple faced intense pressure to allow Adobe’s Flash to work on iOS devices Steve Job’s released his “Thoughts on Flash” letter which outlined his reasoning for not allowing Flash on iOS. An example Steve Jobs used was that “Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash“; I also think I remember the point that Flash being the number one reason Macs crash being said again during a presentation regarding macOS, but haven’t been able to find the video.

Since that point in 2009 I’ve restricted myself installing third-party software and plug-ins as liberally as I did before that. I’ve now come to think that with each piece of software installed I’m increasing the number of possible attack vectors an attacker can use to attack my machine; both Flash and the ever popular Acrobat contain a not insignificant amount of security advisories on Adobe’s website.

Initially I may seem unreasonable, perhaps puritanical with regards to my attitude toward third-party software, as though I never install anything that isn’t part of a standard operating system installation and expect software to have zero security issues, I assure you that is not the case. Security issues will always be found in software and Flash and Acrobat’s long list of vulnerabilities [arguably] shows that Adobe heavily invests in finding security issues in their software and focuses on fixing them. And if macOS doesn’t contain the tool I need to what I need I’m more than open to installing something that does; among software I have installed is 1Password, VirtualBox, Postgres and Scrivener among others.

What I am advocating is a more considered approach to installing third-party software. Do you really need to install Flash given that most internet video is HTML5 video now? Could you just use the built in PDF reader instead of installing Acrobat Reader? Perhaps your computer isn’t cluttered enough to install that cache cleaner software? The answer to the question will depend on what the user is looking to do and their level of knowledge about what they’re installing.