Security Validation of the Patch My PC Publisher

It is important to note that the Publisher is installed on to the top-most WSUS distribution point in the customers environment.

How does the Patch My PC application catalog connect to the Patch My PC Publisher?

The Patch My PC Publisher downloads the application catalog cab file from the internet via https 443 from the secure storage, essentially connecting the two.

More specifically, the Publisher makes a call to api.patchmypc.com, which then delivers the cab file after verifying the customer’s license. The call is necessary as it is important for us to verify a customer’s license is correct before the cab files begin syncing into the Publisher.

Once accessed, the application updates can be seamlessly deployed and updated in your environment.

How does security validation happen with Patch My PC Publisher?

When the catalog gets downloaded into your environment, the import will only occur in our publishing service, Configuration Manager, or SCUP if the catalog is code-signed from a trusted publisher.

The Publisher will check that the catalog cab file is signed with our code signing certificate. If it is not, it discards it and stops. If it is signed, then it processes all the updates in the cab file and sees what needs to be published based on the deployment and update settings you’ve set for your applications.

Digging in a little deeper, the specific processes at work are as follows:

After verifying a customer’s license, the Publisher makes an API call to download the newest version of the catalog.

The Publisher checks that the catalog cab file is signed by our dual code-signed certificate.

The Publisher scans the cab files for any new updates in the catalog.

The file hash for the new updates in the cab file are verified and downloaded.

The latest, updated version is brought into the publisher and disseminated based on the customer’s configurations for updates.

Preventing a Man-in-the-Middle (MitM) attack

What this means is that the cab file has a digital signature that the Publisher looks for. If a MitM attack occurred, and a malicious cab was delivered, it would fail code signing. This prevents it from being downloaded into your environment.

This process prevents MitM (man-in-the-middle) attacks where a threat actor can get in the middle of a communication between two entities. The secure foundation of the Publisher and how the import occurs prevents this type of attack.

Due to our code-signed certificate, which is a hardware-based physical key, our signature verification processes, and the connection taking place over HTTPS, it is extremely difficult for a MitM attack to occur in the first place.

For example, if a threat actor crafted a malicious catalog and tried to serve it as ours, the signature verification check would throw it out. Basically, if the catalog is modified in any way, even if a threat actor took our catalog and tried to inject a malicious update into it, the signature wouldn’t match. It’s simply not valid and would be tossed.

Additionally, we also check that the catalog cab file is signed by our dual code-signed certificate. If not, then, again, it is tossed.

What does Patch My PC use for our code-signing certificate?

The Patch My PC catalog is only signed by highly trusted, tenured individuals with a hardware-based DigiCert key. These individuals are different than the individuals who build the catalog itself and the signer and approver are different individuals.

And on that note, once the catalog is built, checks are in place to verify various updates in the catalog. These checks include uploading the catalog into automated systems where it is scanned for a variety of issues including viruses, malicious links, and file digest mismatch. After the checks are made, the catalog is signed, uploaded, and approved.

Preventing an insider threat

If a Patch My PC employee were to try to compromise the catalog, the automated scans set up would notify other employees immediately that the catalog is compromised and cannot move forward in the approval process.

For example, if an employee were to try and put a malicious link somewhere in the catalog, the automated scans would see it and bring it up as an issue.

Preventing a third-party file compromise

To help prevent third-party file compromise, we check the file with Virus Total. If the file passes, we check for digital signatures on the file, and make sure the file comes from the vendor it says it’s from.

Some files though are too large to run through Virus Total. If this is the case, we run the file through Microsoft Defender which picks up issues. Therefore, Patch My PC does its best to ensure our customers download a safe catalog.

Exceeding the industry standard

The process above far exceeds the industry standard. A typical systems administrator, when packaging software themselves, goes to a vendor website, clicks download, drags it into a folder, packages it, and sends it out. Very little to no verification is ever done to ensure the file is not compromised.

This is not done out of negligence or malicious intent, but because verifying the security of even one file takes a lot of time, energy, and effort. A typical systems administrator has very little of any of these due to the increasing workload and daily demands of the job.

Patch My PC Publisher is a tool that automates management of third-party updates and applications included in the Patch My PC Catalog for Microsoft Configuration Manager, Intune, and WSUS. With the Patch My PC Publisher, IT admins are able to easily keep third-party applications secure and up to date.

Even the verification of even one file can add hours of work to a process that already takes 2-3 hours to complete. Given that a typical small company has 50 applications installed, you can see how a systems administrator workload does not allow for such security assurances.

Patch My PC on the other hand, not only automates this process for seamless deployment in your environment, but does so with verifications, hash checks, and code-signing validations to minimize the risk of third-party file compromise.

We do our due diligence and once we have the third-party file signed and in our cab catalog, we can guarantee that the file you receive is the exact same file we got from the vendor.

All the testing Patch My PC goes through as part of our application catalog pipeline allows us to provide a well-tested experience to our customers.

Customer verification

It’s important to note that once updates are in a customer’s environment, it’s up to you to complete a final quality check against your specific environment.