Software-Update for Austrian Citizen Card vulnerable to MITM

TL;DR: Update-Mechanism of A-Trust BKU did not check SSL-Server-certificate before version

Long story:

The Austrian Citizen Card (Bürgerkarte) is a Smartcard that allows every citizen to make qualified digital signatures, which should be equivalent to handwritten signatures. In order to use the Bürgerkarte a Software (Bürgerkartenumgebung, BKU) is needed, either a locally installed or a Java applet (Mocca). The most widely spread locally installed BKU is the “A-Trust BKU”, which has been around since November 2008.

I was wondering how the update mechanism worked and found that it uses HTTPS to fetch an “update.ini” which contains information about the latest version. I was curious and created an update.ini file, altered the hosts-file and…. it worked.

When A-Trust BKU thinks it has found an update it shows this window:

After the update has been downloaded it simply gets executed (UAC elevated!):

An update to version fixes this problem.