Exactly how this can be done was demonstrated by researchers from UK-based security firm Context demonstrated at the Black Hat conference in Las Vegas on Wednesday. Context researchers demonstrated how hackers can compromise corporate networks by exploiting a weakness in Windows’ update mechanism.
PCs on a corporate network update through a separate Windows Update (WSUS) server on the network. But insecurely configured implementations of the corporate update server can “be exploited in local privilege escalation and network attacks.”
What is WSUS?
Normally the Windows patches are served to the end users through Windows servers however this is not the case with corporate users. The patches are sent to the Windows Server Update Services (WSUS) of the corporate and than the administrator WSUS deploys the Windows software update to servers and desktops throughout the organization.
Once the updates are with the administrator on the server, he can limit the privilege for the clients in a corporate environment to download and install these updates.
Intercepting WSUS to Inject Malware into Corporate Networks
By default, WSUS does not use Secure Socket Layer (SSL) certificate encrypted HTTPS delivery for the SOAP (Simple Object Access Protocol) XML web service. Instead, it uses the non-encrypted HTTP. As WSUS installations are not configured to use SSL security mechanism, hence they are vulnerable to man-in-the-middle (MitM) attacks.
According to researchers Paul Stone and Alex Chapman from context, they used low-privileged access rights to set up fake updates that were downloaded and installed automatically by connected machines.
All update packages that are downloaded from the Microsoft Update website are signed with a Microsoft signature. Which cannot be altered, however the cyber criminals can alter Windows Update itself by injecting malware in the metadata of the update files.
“By repurposing existing Microsoft-signed binaries, we were able to demonstrate that an attacker can inject malicious updates to execute arbitrary commands,” researchers said in the paper.
Windows update also includes more than 25,000 of 3rd-party drivers that are developed and signed by other developers, which can also be altered easily.
“Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the ‘searching for Drivers’ and ‘Windows Update’ dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats.”
The mitigation of the problem is as easy as the problem itself according to the Context researchers. They said that if network administrators followed Microsoft’s guidelines to use SSL by default on the update server, that alone will be enough to prevent the described attack. That said, they added there were additional steps to take to offer greater protection, such as using a separate signing certificate to verify updates.
“Using a separate signing certificate for Windows Update would increase protection and the update metadata itself could be signed by Microsoft to prevent tampering,” says Alex Chapman, senior researcher and joint presenter at Black Hat.
“Signing the tags that contain the main detail of the updates with a Microsoft certificate would avoid the necessity of setting up a trust relationship between the client and WSUS server.”
With the Windows 10 launch, there will be plenty of patches to fix the bugs and flaws. Through this method, the cyber criminals could flood the Internet with fake Windows patches which could harm millions of Windows 10 users.