Skip to main content

Windows patches could be intercepted

The Black Hat conference is great for spreading paranoia and researchers from the UK-based security firm Context are adding fuel to that fire.

According to them, there is a way for hackers to intercept Windows updates before they reach their designated machine, and fill them up with malware.

That way, you think you’re getting the official Windows patch, but instead, you’re getting hacked into oblivion.

This technique, however, works only on corporate machines.

PCs on a corporate network update through a separate Windows Update (WSUS) server on the network. But insecurely configured implementations of the corporate update server can "be exploited in local privilege escalation and network attacks."

"During the update process, signed and verified update packages are downloaded and installed to the system. By repurposing existing Microsoft-signed binaries, we were able to demonstrate that an attacker can inject malicious updates in order to execute arbitrary commands," said the paper, seen by ZDNet prior to the scheduled talk on Thursday.

The researchers managed to create fake updates which the machines pulled and installed automatically. According to a report by ZDNet, certain servers are vulnerable to man-in-the-middle attacks:

“WSUS servers that aren't configured to use common web encryption, such as a Secure Socket Layer (SSL) certificate, are vulnerable to man-in-the-middle attacks, wherein an attacker injects updates with malware,” it says in the report.

"It's a simple case of a common configuration problem," said Stone in prepared remarks.

"Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes," he said.

However, the fix is relatively simple, all you need to do is follow Microsoft’s advice and use SSL by default on the update server.