Automatic updater on windows trains users to click Yes

[LukasReschke]

We got the following as HackerOne submission (#1325350):

I just got send the attacked screenshot from a co-worker in the Netherlands. (It is in dutch but I think you'll get the idea). In short she was concerned about the name 35e4e.msi doesn't sound like a legit program. Nor did she had any idea what actually was trying to update.

Impact The only thing I can do here is train people to press OK. Nobody is going to check the certificate (and even if they do they have no idea what to look for). The signature is valid but the file name doesn't match anything you can download. Feel free to just move this to github if you think it doesn't belong on hackerone.

This looks like something we could address, some points here:

• Is it necessary to have this interstitial at all? (e.g. can't the running Nextcloud Client execute this)
• Could we at least change the file name to something more official sounding?

[mgallien]

@LukasReschke the MSI windows installer is built of two parts

• first one does not need privileges and is responsible of letting the user configure the install (first stage installer named Nextcloud-3.3.2-x64.msi for example)
• second one requires elevated privileges and before starting it the usual Windows warning popup will be shown (second stage installer generated by the MSI toolchain with currently a cryptic name)

This two stages installer is common. The reason is that many software are now able to install without elevated privileges in a directory owned by the user or to a global directory requiring elevated privileges. Windows will then trigger the warning only in teh second case.

From my understanding of Windows, there is no other way than having the warning popup be shown when elevated privileges are required. The critics around this warning popup are often heard and we cannot act on it. That said, people can configure UAC (User Account Control) to not show the warning.

From my limited understanding of the internals of the MSI installer, I am not sure we can control the name of the second stage installer. We will have a look anyway.

[FlexW]

The naming issue is a duplicate of https://github.com/nextcloud/desktop/issues/2947

[d235j]

This two stages installer is common. The reason is that many software are now able to install without elevated privileges in a directory owned by the user or to a global directory requiring elevated privileges. Windows will then trigger the warning only in teh second case.

Another method that software uses is the installation of a system service for updating the software. Google Chrome and Mozilla Firefox, among others, take this approach.

That said, people can configure UAC (User Account Control) to not show the warning.

This is generally considered a terrible idea as it opens the system to easy installation of malicious software.

Does the automatic updater tell the user that it is about to update? If the updater requires elevation to apply the update, it should at least inform the user and provide a yes/no choice, so that the dialog does not just appear out of nowhere. In other words, the option for silent automatic update should not exist, if interaction will be required anyway in order to elevate the installer.

[claell]

From my understanding of Windows, there is no other way than having the warning popup be shown when elevated privileges are required. The critics around this warning popup are often heard and we cannot act on it.

Hm, I thought (or hoped) that it would work to have one software (already installed Nextcloud client) with elevated privileges that can then easily start other software (the installer) with elevated privileges as well without having to ask again.

[d235j]

Hm, I thought (or hoped) that it would work to have one software (already installed Nextcloud client) with elevated privileges that can then easily start other software (the installer) with elevated privileges as well without having to ask again.

The software would have to install a system service at installation time. That's what most Windows software that is installed system-wide and comes with a user-runnable auto-updater does. This adds complexity.

While the Nextcloud client is installed with elevated privileges, it does not run with elevated privileges — this would be a security problem. In general, designing secure auto-updaters that run elevated is also rather difficult.

[claell]

Got it. So the best option is probably to leave the situation of the dialog as is and improve the name (and possibly also the app symbol shown in the warning).

Maybe one can also create an issue to allow the installation to a user directory, which in those cases would not require elevated privileges to update, as @mgallien pointed out.

[d235j]

Maybe one can also create an issue to allow the installation to a user directory, which in those cases would not require elevated privileges to update, as @mgallien pointed out.

I would much rather see this implemented by allowing for a portable installation that can link itself into the Startup folder rather than installing itself into the AppData folder, but either way would work.