Jump to content

Windows Updates Can be Intercepted to Inject Malware


alacran

Recommended Posts

Windows Updates Can be Intercepted to Inject Malware into Corporate Networks

 

If you think that the patches delivered through Windows update can not be laced with malware, think again.
 
Security researchers have shown that Hackers could intercept Windows Update to deliver and inject malware in organizations.
 
Security researchers from UK-based security firm ‘Context’ have discovered a way to exploit insecurely configured implementations of Windows Server Update Services (WSUS) for an enterprise.
 

What is WSUS in Windows?

 
Windows Server Update Services (WSUS) allows an administrator to deploy the Windows software update to servers and desktops throughout the organization.
 

These updates come from the WSUS server and not Windows server.
 
Once the updates are with the administrator on the server, he can limit the privilege for the clients in a corporate environment to download and install these updates. As the admin is the owner of the distribution of these updates.
 
Intercepting WSUS to Inject Malware into Corporate Networks
 
By default, WSUS does not use SSL encrypted HTTPS delivery for the SOAP (Simple Object Access Protocol) XML web service. Instead, it uses the non-encrypted HTTP.
 
This is a major WSUS weakness that should not be ignored now. (At least when it has been exploited and shown to the world).
 
As WSUS installations are not configured to use SSL security mechanism, hence they are vulnerable to man-in-the-middle (MitM) attacks.
 
According to researchers Paul Stone and Alex Chapman, the attack is so simple that a hacker with low privileges can set up fake updates that can be installed automatically by connected machines.
 
All update packages that are downloaded from the Microsoft Update website are signed with a Microsoft signature. Which cannot be altered.
 
However, Hackers can alter Windows Update by installing malware in the metadata of the update.

"
By repurposing existing Microsoft-signed binaries, we were able to demonstrate that an attacker can inject malicious updates to execute arbitrary commands
," researchers said in the
.

A malicious attacker can inject malware in the SOAP XML communication between the WSUS server and the client and making it look purely authentic update to install.
 
Windows update also includes more than 25,000 of 3rd-party drivers that are developed and signed by other developers, which can also be altered easily.

Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the 'searching for Drivers' and ‘Windows Update' dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats.

So, now it can be a big security threat for the new Windows 10. Either the corporates are going to live in the era of old Windows or upgrade and welcome the malware!
 
The researchers demonstrated the hack at the Black Hat security conference in Las Vegas this week in a talk titled, WSUSpect: Compromising the Windows Enterprise via Windows Update. PDF

 

Source:

 

http://thehackernews.com/2015/08/windows-update-malware.html

Edited by alacran
Link to comment
Share on other sites


This just really begs the question, is technology, computers, and ultimately the internet, worth all this hassle?

I know, there are many many arguments to that. But let's face it, we're all battling a losing game. No matter how iron clad you make something, there will always be something to break into it with little effort. That's why when people go for all these new 'smart' appliances, I shake my head and start up my good ol' manual washing machine from 1995. The only way you can hack into that is by coming to my house, breaking in, and playing with the dial. Now...who'd go through that effort? Now if it's connected to the internet and someone finds their way in...how are you honestly going to fix it without unplugging it from the wall and waiting for a software update, or at least disconnect it from the internet. Completely beats the purpose of it truthfully.

 

Computers will always be fun and useful, but it seems the world is starting to rely on it too much and we should not be living in a world where everything is on the internet. It's just begging to have something go completely wrong.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...