You have 1 malicious update ready to install…6 August 2015: Yesterday at Black Hat USA, researchers from UK-based Context Information Security demonstrated how Windows Update can be abused for internal attacks on corporate networks by exploiting insecurely configured enterprise implementations of Windows Server Update Services (WSUS).WSUS allows admins to co-ordinate software updates to servers and desktops throughout their organisations, but the Microsoft default install for WSUS is to use HTTP and not SSL-encrypted HTTPS delivery. By exploiting this weakness, the Context researchers were able to use low-privileged access rights to set up fake updates that installed automatically. These updates could potentially download a Trojan or other malware and be used to set up admin access with a false user name and password. Any Windows computer that fetches updates from a WSUS server using a non-HTTPS URL is vulnerable. “It’s a simple case of a common configuration problem,” says Paul Stone, principal consultant at Context and one of the presenters at Black Hat yesterday. “While Microsoft does not enforce SSL for WSUS, it presents the option and most companies will go through this extra stage to use HTTPS. But for those that don’t it presents an opportunity for an administrator to compromise complete corporate networks in one go.” Organisations can quickly find out if they are vulnerable by checking the WSUS group policy settings, while it is possible to check if an individual machine is incorrectly configured by looking at the appropriate registry keys. If the URL does not start with https, then the computer is vulnerable to the injection attack. While following Microsoft’s guidelines to use SSL for WSUS will protect against the described attacks, Context also suggests that there are further ‘defence in depth’ mitigations that could be implemented by Microsoft to provide further protection.“Using a separate signing certificate for Windows Update would increase protection and the update metadata itself could be signed by Microsoft to prevent tampering,” says Alex Chapman principal consultant at Context and joint presenter at Black Hat. “Signing the tags that contain the main detail of the updates with a Microsoft certificate would avoid the necessity of setting up a trust relationship between the client and WSUS server.”During the Black Hat presentation, the Context researchers also raised concerns about third-party drivers installed via Windows update. There are over 25,000 potential USB drivers that can be downloaded – although this list includes many duplicates, generic drivers and obsolete versions. “We have started to download and investigate some 2,284 third-party drivers,” said Stone. “Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the ‘searching for Drivers’ and ‘Windows Update’ dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats.” A detailed paper to accompany the Black Hat presentation entitled ‘Compromising the Windows Enterprise via Windows Update’ can be downloaded at: http://www.contextis.com/news/new-paper-released-compromising-windows-enterprise/ Paul Stone’s biography is available at: https://www.blackhat.com/us-15/speakers/Paul-Stone.html Alex Chapman’s Biography is available at: https://www.blackhat.com/us-15/speakers/Alex-Chapman.html About ContextEstablished in 1998, Context’s client base includes some of the world’s most high profile blue chip companies, alongside public sector and government organisations, for technical assurance, incident response and investigation services. An exceptional level of technical expertise underpins all Context services, while a detailed and comprehensive approach helps clients to attain a deeper understanding of security vulnerabilities, threats or incidents. Context is also at the forefront of research and development in security technology. As well as publishing white papers and blogs addressing current and emerging security threats and trends, Context consultants frequently present at open and closed industry events around the world. Context delivers a comprehensive portfolio of advanced technical services and with offices in the UK, Germany and Australia, is ideally placed to work with clients worldwide. www.contextis.com For more information for editors, please contact:Allie Andrews PRPR, Tel + 44 (0)1442 245030 allie@prpr.co.uk Source: RealWire

Leave a Reply