Microsoft Update and The Nightmare Scenario

June 5th, 2012

Via: F Secure:

About 900 million Windows computers get their updates from Microsoft Update. In addition to the DNS root servers, this update system has always been considered one of the weak points of the net. Antivirus people have nightmares about a variant of malware spoofing the update mechanism and replicating via it.

Turns out, it looks like this has now been done. And not by just any malware, but by Flame.

The full mechanism isn’t yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer.

This file is signed by Microsoft with a certificate that is chained up to Microsoft root.

Except it isn’t signed really by Microsoft.

Turns out the attackers figured out a way to misuse a mechanism that Microsoft uses to create Terminal Services activation licenses for enterprise customers. Surprisingly, these keys could be used to also sign binaries.

Research Credit: RJF

One Response to “Microsoft Update and The Nightmare Scenario”

  1. JWSmythe says:

    That’s absolutely lovely.

    I’m sure Microsoft will have an update for it in 6 months to a year, as they typically do. That also does absolutely nothing for those machines that are already infected.

    I would suspect when MS puts out press releases and announcements saying “Go to http://microsoft.com/…” to get the fix, that will automatically be redirected to either an inert update, or one more malicious than the last.

    This problem did exist with various Linux platforms too. Most systems can update themselves automatically. Some are set to do it by default. The fear was a repository could be compromised. This was handled by various countermeasures. To the best of my knowledge, it hasn’t been a real compromise.

    We set up a WSUS server for one of our offices, because there were so many machines on a relatively slow connection.

    Linux has a pretty simple way of handling the repository. Dump the files in a directory (or directory tree). For production environments, manage your own repository and only put the updates in once you have tested them in accordance to your companies rules. It is pretty easy to look through and see what’s there. If you want a new package, drop it in. Securing that is up to company policy.

    WSUS, on the other hand, contains an amazing amount of hand waving and black magic. Resolving problems can range from an inconvenient, to a complete nightmare. It’s all fun and games on a network with less than 10 machines, it’ll keep you busy. On a network of hundreds or thousands, it becomes a full time task for multiple admins.

    I’d comment on the way Mac updates, but I honestly don’t know much about it, and nothing about operating them in a production environment. Mac in most offices are a novelty left to a handful of people who promise they’ll manage them properly, with the top brass approval.

    I’m really not surprised the MS signing authority was compromised. The wording on that last paragraph tends to sound like someone at MS leaked the signing tool or at least the cert to a friend, who gave it to a couple friends, and in just a few generations of friendly cooperation to have their own unlimited terminal services at home, it ended up in the wrong hands.

    Every MS security measure has been compromised in a relatively short time after it was released. Some compromises came *before* release. A quick torrent search (warning: don’t do it, it’s bad for your soul, wallet, and will likely get you infected with new viruses) will provide you to keygens and ISOs for every version of Windows, and WGA circumvention methods for more modern releases. I can’t advocate it, but I will say they do exist.

    I generally believe, with factual reinforcement, that any sort of MS security is a joke. They have a huge budget, which appears to go more towards sales and marketing than anything else. It makes sense, they are selling a product, and customers will buy it regardless if it is ready for the customers to use. Problems will be fixed with hotfixes, daily updates, and service pack rollups that will continue until the product is end of life.

Leave a Reply

You must be logged in to post a comment.