Slashdot Mirror

← Back to Stories (view on slashdot.org)

Manipulating Microsoft WSUS To Attack Enterprises

Posted by Soulskill on from the sweet-wsus dept.

msm1267 writes: Microsoft's enterprise-grade Windows Server Update Services (WSUS), used to download and distribute security and driver updates, poses a significant weak spot if not configured properly. Researchers Paul Stone and Alex Chapman during last week's Black Hat conference presented research (PDF) on the the WSUS attack surface and discovered that when a WSUS server contacts Microsoft for driver updates, it does so using XML SOAP web services, and those checks are not made over SSL.

While updates are signed by Microsoft and updates must be verified by Microsoft, Stone and Chapman discovered that an attacker already in a man-in-the-middle position on a corporate network, for example, could, with some work, tamper with the unencrypted communication and inject a malicious homegrown update.

1 of 60 comments (clear)

  1. Re:More proof... by cdrudge · · Score: 3, Informative

    ...that features will trump security every time.

    Is it any different then say apt-get using unsecured http or ftp connections?

    Their products are defective and they should be forced to correct those defects. And by correct, I don't mean sell you the newer version of their product. I mean doing real, thorough security analysis before shipping, and supporting previous versions for a long time.

    Then you'd never get your product and/or it would be so ridiculously expensive that you couldn't afford it. EVERY major piece of software has bugs. It's a fact of life. Even the Space Shuttle where billions of dollars and decades of time were spent perfecting things still had a few bugs over it's life.

    And how long is "a long time"? Windows 7 will be supported for 11 years, until 2020. XP was released in 2001 and just ended support last year after it was supported for 13 years. The Linux 2.4 branch was released in 2001 and was maintained until 2011. Where's the outrage that it's not still being maintained and supported?

    Google is who I'm now starting to wonder about, with all of these unpatchable cell phones because they don't want to support Android 2.3 or 4.1 even though the devices with these versions can't run anything newer.

    Don't blame Google on that. Google continuously updates their software releasing fixes. It's the manufacturers and carriers that refuse to support/update them. It would be like yelling at Linus et al for a kernel bug that Debian or Redhat drags their feet to incorporate into their distributions.