Window updates from an enterprise update server not configured to use encryption are vulnerable to an injection attack
Windows 10 has come and it has had its fair share of controversies from spying on users to disabling the pirated games and hardware. The latest to hit the headlines is not related to Windows 10 in particular but all Windows patches issued by Microsoft. It seems cyber criminals can intercept the of Windows patches and inject it with malware using WSUS server in a corporate network.
Exactly how this can be done was demonstrated by researchers from UK-based security firm Context demonstrated at the Black Hat conference in Las Vegas on Wednesday. Context researchers demonstrated how hackers can compromise corporate networks by exploiting a weakness in Windows’ update mechanism.
PCs on a corporate network update through a separate Windows Update (WSUS) server on the network. But insecurely configured implementations of the corporate update server can “be exploited in local privilege escalation and network attacks.”
What is WSUS?
Normally the Windows patches are served to the end users through Windows servers however this is not the case with corporate users. The patches are sent to the Windows Server Update Services (WSUS) of the corporate and than the administrator WSUS deploys the Windows software update to servers and desktops throughout the organization.
Once the updates are with the administrator on the server, he can limit the privilege for the clients in a corporate environment to download and install these updates.
Intercepting WSUS to Inject Malware into Corporate Networks
By default, WSUS does not use Secure Socket Layer (SSL) certificate encrypted HTTPS delivery for the SOAP (Simple Object Access Protocol) XML web service. Instead, it uses the non-encrypted HTTP. As WSUS installations are not configured to use SSL security mechanism, hence they are vulnerable to man-in-the-middle (MitM) attacks.
“By repurposing existing Microsoft-signed binaries, we were able to demonstrate that an attacker can inject malicious updates to execute arbitrary commands,” researchers said in the paper.
“Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the ‘searching for Drivers’ and ‘Windows Update’ dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats.”
“Using a separate signing certificate for Windows Update would increase protection and the update metadata itself could be signed by Microsoft to prevent tampering,” says Alex Chapman, senior researcher and joint presenter at Black Hat. “Signing the tags that contain the main detail of the updates with a Microsoft certificate would avoid the necessity of setting up a trust relationship between the client and WSUS server.”
With the Windows 10 launch, there will be plenty of patches to fix the bugs and flaws. Through this method, the cyber criminals could flood the Internet with fake Windows patches which could harm millions of Windows 10 users.