Auto update: Is this secure?

Question

Dot Net Auto Update

I felt like .net was lacking a simple secure automatic update library so I've implemented something and put it up here. Before anyone considers using the library I was keen for the update process to get a bit a peer review.

Here are the steps:

• The client software is populated with a public key and URI to poll.
• Client polls a URI for a manifest file.
• Manifest is downloaded and signature (in a separate ".signature") is used to check that the manifest is valid.
• A list of pending updates is parsed out of the manifest (to show to the user).
• The installer file is downloaded and again is verified with a corresponding ".signature" file. (the downloaded file will be protected with ACLs)
• The installer is run.

Mitigated threats:

• The manifest signature should prevent any malicious downloads ("carpet bombing")
• The installer signature should prevent any MITM attacks from sending malicious installers
• Protecting the downloaded installer with ACLs should prevent any local escalation attacks.

Unmitigated threats:

• A MITM attack where the attacker always reports "no updates available". (Could keep a client at a vulnerable version)

References:

• Secure Software Updates: Disappointments and New Challenges
• Black Ops 2008: It’s The End Of The Cache As We Know It
• Evilgrade Will Destroy Us All

What have I missed?

Answer 1

Dan Kaminsky has a good set of guidelines for an updater:

To succeed, your update package must be:

• Signed.
• Signed by you.
• Signed by you, using the right EKU (Extended Key Usage)
• Signed from an unrevoked signature
• Be the same product
• Be a new version

From your description in this question, it appears that you have the first 3.