UTorrent.com compromised, malware added to installer

As far as I remember, uTorrent has an internal auto-update functionality that interrogates the server for a new version. I wonder how well that is secured and if owning utorrent.com is enough to distribute a malicious update to all users unfortunate enough to start the application while owned.<p>I'm very wary about auto-updates that pull executables (as opposed to merely data) in this way. It's one thing for Chrome to do it, I assume Google does it in a way that's safe. But freeware/shareware projects? Not so much. Hell, who's to say the authors don't lose interest in two years and let the domain expire. I had one freeware or open-source app that didn't even have the courtesy of <i>asking</i>, it just pulled fresh binaries and restarted -- ouch. (At least you could disable this feature in the preference.)

I stopped using it since it wasn't open source. Worse when it became infested with "optional" ~~adware~~ search bar.

For those on Windows, here is a bit of code that can be used to validate Authenticode signature of the update package.<p><a href="https://github.com/apankrat/assorted/blob/master/validate_package.cpp" rel="nofollow">https://github.com/apankrat/assorted/blob/master/validate_pa...</a><p>Basically the idea is to get an Authenticode certificate and sign the update .exe with it. Then, when a program checks for an update and pulls it down, it would validate the package signature and will not proceed if the details - the application and the certificate subject names - are wrong. It is as simple as it gets.

And this is one of many reasons I love that almost all my software is installed through a secure package manager.