I'm a long-time user of PortableApps.com, I install and update using the PortableApps Platform.
We recently learned that hackers had slipped malware and therefore compromising Avast's CCleaner, which infected 2.27M users, read the story here: https://techcrunch.com/2017/09/18/avast-reckons-ccleaner-malware-infecte...
My question is, is PortableApps vulnerable to this? Is PortableApps doing enough to prevent this type of compromise?
Just a concerned PortableApps user.
We don't distribute CCleaner, so we are unaffected. All our releases are scanned by at least two major antivirus engines before release. Most are scanned with 20. We scan any files downloaded by our online installers prior to release and hash them. If the hashes don't match, our online installers will show an error and delete the downloaded file without running or opening it. Our platform does the same for all portable app downloads as well, comparing them to our stored online hashes for all apps. Additionally, our open source apps and any online installer apps are digitally signed using a code signing certificate. Finally, our app download servers and our centralized server which stores the app database are on independent machines in separate data centers with different login credentials, so if something somehow managed to infect a self-hosted publisher's download server or even our own download servers, our platform would correctly show the hash as invalid and refuse to open or run the installer.
There are a other projects which illegally package and distribute CCleaner (not permitted by the publisher) without scanning or download CCleaner from Piriform without scanning and hashing. Those appear to be affected by the hack and any of their users that ran the software would be infected.
Sometimes, the impossible can become possible, if you're awesome!
We don't provide an officially released CCleaner, so we don't have a product directly affected in this case.
The attack occurred because a malicious individual or group of individuals hacked either the servers from which users download the CCleaner package, or on which the developers build the package (I have seen conflicting reports on this point, so am including both possibilities here) and replaced the official package with their own - thus users were still downloading from the correct location without any form of redirection or misdirection, the packages were still internally signed correctly, but the package they received was compromised (often referred to as a supply chain attack).
Supply chain attacks are one of the most effective attacks on software, but are also one of the hardest to pull off due to the levels of security inherent on the vast majority of servers. However bugs, loopholes, and oversights can happen, even with the best security software in place. No server can ever be 100% defensible against remote attacks, unless you disconnect it from the internet (which kinda defeats the purpose for a download server).
Our app database uses a hash to determine the validity of downloaded files, and I would assume this is housed on an entirely separate server to the downloads themselves, so for someone to pull off an attack like this they would have to infiltrate at least two different servers to make it happen, which decreases the likelihood of it ever happening even further.
Thanks for the reassurance and the education