I'll bet you a beer or whatever you like to drink we're going to see a flurry of exploits around this service.
I happen to have written a similar service a couple of years ago for a very different purpose and let me tell you one thing: this is nothing less than a backdoor.
You run a program from the service and make sure it runs in the user's session. The problem is, how do you decide a program is "legit"?
You're going to tell me "you check against a digital signature". Except it doesn't work. You can only check parts of the binary, not the whole binary (as some content is unpredictable once it runs).
The other big problem - assuming they have a perfect gateway - is that a vulnerability in Firefox could become catastrophic as it could go through the service to run as a privileged user and wreak havoc.
1: Firefox always used UAC for updates. Did it wreak havoc? Because believe it or not, UAC = admin rights. That's because Firefox always installed itself in program files.
2: You could exploit Google's update service as well. Do I see flurry exploits around it? Much much smaller code base. Much less complex tasks.
3: A digital signature signs the whole binary. Not parts of the binary. Do you know how this works? There's no such thing such as signing a partial binary.
> You're going to tell me "you check against a digital signature". Except it doesn't work. You can only check parts of the binary, not the whole binary (as some content is unpredictable once it runs).
I read this a few times, and I still don't get why you wouldn't check the whole binary. Care to elaborate?
> You can only check parts of the binary, not the whole binary
Not only would they be signing the binary in its entirety, they're almost certainly signing every single byte of the update package, right down to the very last manifest file and license agreement.
