Security researchers from Context security firm have discovered a technique to serve malware exploiting the Windows update mechanism. The researchers are able to exploit insecurely configured implementations of Windows Server Update Services (WSUS) for an enterprise to compromise machines exposing organizations to serious risks.
The Windows Server Update Services (WSUS) is used by administrators to deploy Windows updates to the machines within the organization.
Despite the Windows update is a critical process, by default the Windows Server Update Services (WSUS) does not use SSL encrypted HTTPS delivery of the SOAP (Simple Object Access Protocol) XML web service.
The lack of encryption opens the door to man-in-the-middle (MitM) attacks, this means that an attacker can inject malicious code in the legitimate traffic, for example replacing software updates with trojanized version of the patch.
The researchers Paul Stone and Alex Chapman explained that attacks against the Windows Server Update Services are very easy to carry on and don’t request high privileges to push malicious updates.
Let’s remember that all update packages available on the Microsoft Update website are digitally signed, a measure used to ensure authenticity and integrity.
However, as explained by the experts the attackers can alter Windows Update by installing malware in the metadata of the update.
“It’s a simple case of a common configuration problem,”“While Microsoft does not enforce SSL for WSUS, it presents the option and most companies will go through this extra stage to use HTTPS. But for those that don’t it presents an opportunity for an administrator to compromise complete corporate networks in one go.” researchers said in the paper.”By repurposing existing Microsoft-signed binaries, we were able to demonstrate that an attacker can inject malicious updates to execute arbitrary commands,” researchers said in the paper.
The experts explained that an attacker can inject malware in the SOAP XML communication between the WSUS server and the client, in this way there is no way for the client to distinguish a legitimate update from a bogus one.
Another element of concern for the Windows update process is that it includes more than 25,000 drivers developed by third-party companies. Potentially each driver could open the door to the hackers due to the presence of security flaws.
“We have started to download and investigate some 2,284 third-party drivers,” said Paul. “Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the ‘searching for Drivers’ and ‘Windows Update’ dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats.”
The researchers demonstrated the attack at the Black Hat 2105 conference in Las Vegas, a detailed paper titled “WSUSpect: Compromising the Windows Enterprise via Windows Update” is available online.
(Security Affairs – Windows Server Update Services, Hacking)