Microsoft spells out effort to prevent attackers from abusing Windows Update again

Dark Reading Staff, Dark Reading

June 7, 2012

3 Min Read

Microsoft has revealed details on how it is hardening its Windows Update mechanism in response to the recent discovery that the Flame malware had abused it.

The software giant, which announced this week that it would beef up Windows Update, said yesterday that the newly hardened Windows Update and Windows Server Update Services (WSUS) infrastructures will be rolled out during the next few days.

The move follows the discovery this week that the Flame attacks used fraudulent digital certificates and a man-in-the-middle attack to turn the Windows Update mechanism against users by using it as a tool to propagate on a local network.

"To attack systems using Windows Vista and above, a potential attacker would have needed access to the now invalid Terminal Server Licensing Service certificates and the ability to perform a sophisticated MD5 hash collision," explains Mike Reavey, senior director at Microsoft Security Response Center. "On systems that predate Vista, an attack is possible without an MD5 hash collision. In either case, of course, an attacker must get his signed code onto the target system. This can be done if the client’s Automatic Update program receives the attacker’s signed package because such packages are trusted so long as they are signed with a Microsoft certificate. Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack."

Microsoft is addressing this issue in two ways. First, the Windows Update client will only trust files signed by a new certificate that is used solely to protect updates to the Windows Update client. Second, the company says it is strengthening the communication channel used by Windows Update "in a similar way."

"When events like the current one occur, it’s important for us to respond quickly and help protect customers as the first priority," Reavey blogs. "This is why our initial response was to invalidate the entire certificate authority hierarchy associated with Terminal Server licensing. This applied to both present and past certificates, rather than just the specific certificates known to be used by the Flame malware. This was a broad action and was the fastest way to protect the largest number of customers."

The use of unauthorized certificates is not unique to Flame, however, and is another link between the malware and Stuxnet and Duqu, which both used fraudulent or stolen certificates. According to security researchers, Flame uses three modules to abuse Windows Update: Snack, Munch, and Gadget.

"When we first discovered Flame, we started looking in its code for at least one exploit that used a zero-day vulnerability to spread Flame and infect other machines inside the network," notes Alexander Gostev, head of Kaspersky Lab's Global Research and Analysis team. "Given its sophistication and the fact that it infected fully patched Windows 7 machines, there should have been one. What we’ve found now is better than any zero-day exploit. It actually looks more like a 'god mode' cheat code -- valid code signed by a keychain originating from Microsoft."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:

2012

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights