If you think that the patches delivered through Windows update can not be laced with malware, think again.
Security researchers have shown that Hackers could intercept Windows Update to deliver and inject malware in organizations. Security researchers from UK-based security firm ‘Context’ have discovered a way to exploit insecurely configured implementations of Windows Server Update Services (WSUS) for an enterprise.
WSUS allows an administrator to deploy the Windows software update to servers and desktops throughout the organization. These updates come from the WSUS server and not Windows server. Once the updates are with the administrator on the server, he can limit the privilege for the clients in a corporate environment to download and install these updates. As the admin is the owner of the distribution of these updates.
Intercepting WSUS to Inject Malware into Corporate Networks
By default, WSUS does not use SSL encrypted HTTPS delivery for the SOAP (Simple Object Access Protocol) XML web service. Instead, it uses the non-encrypted HTTP. This is a major WSUS weakness that should not be ignored now. (At least when it has been exploited and shown to the world). As WSUS installations are not configured to use SSL security mechanism, hence they are vulnerable to man-in-the-middle (MitM) attacks.
According to researchers Paul Stone and Alex Chapman, the attack is so simple that a hacker with low privileges can set up fake updates that can be installed automatically by connected machines. All update packages that are downloaded from the Microsoft Update website are signed with a Microsoft signature. Which cannot be altered.
However, Hackers can alter Windows Update by installing malware in the metadata of the update. "By repurposing existing Microsoft-signed binaries, we were able to demonstrate that an attacker can inject malicious updates to execute arbitrary commands," researchers said in the paper. A malicious attacker can inject malware in the SOAP XML communication between the WSUS server and the client and making it look purely authentic update to install.
Windows update also includes more than 25,000 of 3rd-party drivers that are developed and signed by other developers, which can also be altered easily. “Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the 'searching for Drivers' and ‘Windows Update' dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats.”
So, now it can be a big security threat for the new Windows 10. Either the corporates are going to live in the era of old Windows or upgrade and welcome the malware! The researchers demonstrated the hack at the Black Hat security conference in Las Vegas this week in a talk titled, WSUSpect: Compromising the Windows Enterprise via Windows Update [PDF].