Yahoo Pager auto-update

[rrudolph () ARTIFEX DE (Ralf Rudolph)]

A few days ago, I installed the "yahoo pager" on my win95 machine. I
configured it NOT to auto-run at windows startup, which is not the
default option.

Today, when I started the yahoo pager, it automatically downloaded
executable files from http://pager.yahoo.com/pager/download/ (files
ypager.ex_, d23-fw.dl_, myyahoo.dl_ and possibly others) and installed
them without asking me. AFTER the upgrade, a message "Application
successfully upgraded!" was displayed.

If i´m not mistaken, it should be easy for an attacker to use (e.g.)
dns-poisoning to redirect "pager.yahoo.com" to his own webserver, offer
his own version of ypager.ex_ with a very high version number, and just
wait for the victim to start up the yahoo pager (default option:
autostart with windows startup) , auto-download and auto-execute
whatever he wants to (trojan horses, network sniffers, viruses, etc.).
If the functionality of the original yahoo pager was preserved, the
victim wouldn´t even notice he was under attack.

Am I right or am I paranoid? What security measures would possibly stop
such an attacker?

btw: The yahoo pager is only one example: Many software vendors offer
online upgrades. It just sounds like a bad idea to me to allow this
update without asking the user, and without any authentification.


Ralf