Windows patches can be intercepted and injected with malware

Researchers say Windows machines that fetch updates from an enterprise update server not configured to use encryption are vulnerable to an injection attack.
Written by Zack Whittaker, Contributor
(Image: CNET/CBS Interactive)

Can you be certain that patches served through Windows Update aren't laced with malware?

Researchers at UK-based security firm Context demonstrated at the Black Hat conference in Las Vegas on Wednesday how hackers can compromise corporate networks by exploiting a weakness in Windows' update mechanism.

The attack is simple enough. Typically, PCs on a corporate network update through a separate Windows Update (WSUS) server on the network. But insecurely configured implementations of the corporate update server can "be exploited in local privilege escalation and network attacks."

"During the update process, signed and verified update packages are downloaded and installed to the system. By repurposing existing Microsoft-signed binaries, we were able to demonstrate that an attacker can inject malicious updates in order to execute arbitrary commands," said the paper, seen by ZDNet prior to the scheduled talk on Thursday.

The researchers used low-privileged access rights to set up fake updates that were downloaded and installed automatically by connected machines.

WSUS servers that aren't configured to use common web encryption, such as a Secure Socket Layer (SSL) certificate, are vulnerable to man-in-the-middle attacks, wherein an attacker injects updates with malware.

"It's a simple case of a common configuration problem," said Stone in prepared remarks.

Stone said that corporate update servers that don't enforce encryption present "an opportunity for an administrator to compromise complete corporate networks in one go."

"Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes," he said.

(Image: Context)

And yet, bizarrely, there's a relatively simple fix to prevent these attacks from happening.

The researchers said if network administrators followed Microsoft's guidelines to use SSL by default on the update server, that alone will be enough to prevent the described attack. That said, they added there were additional steps to take to offer greater protection, such as using a separate signing certificate to verify updates.

We reached out to Microsoft but did not hear back at the time of writing. If we do, we'll update the piece.

How to secure your computer and online accounts in 10 simple steps

Editorial standards