Manipulating Microsoft WSUS To Attack Enterprises

← Back to Stories (view on slashdot.org)

Manipulating Microsoft WSUS To Attack Enterprises

Posted by Soulskill on Monday August 10, 2015 @04:57AM from the sweet-wsus dept.

msm1267 writes: Microsoft's enterprise-grade Windows Server Update Services (WSUS), used to download and distribute security and driver updates, poses a significant weak spot if not configured properly. Researchers Paul Stone and Alex Chapman during last week's Black Hat conference presented research (PDF) on the the WSUS attack surface and discovered that when a WSUS server contacts Microsoft for driver updates, it does so using XML SOAP web services, and those checks are not made over SSL.

While updates are signed by Microsoft and updates must be verified by Microsoft, Stone and Chapman discovered that an attacker already in a man-in-the-middle position on a corporate network, for example, could, with some work, tamper with the unencrypted communication and inject a malicious homegrown update.

9 of 60 comments (clear)

Min score:

Reason:

Sort:

More proof... by TWX · 2015-08-10 05:03 · Score: 2, Interesting

...that features will trump security every time.

I think that it's getting to be time to regulate software companies, especially for-profit companies. Their products are defective and they should be forced to correct those defects. And by correct, I don't mean sell you the newer version of their product. I mean doing real, thorough security analysis before shipping, and supporting previous versions for a long time.

Microsoft actually isn't as bad as they used to be but they still have too many post-ship bugs. I don't care how big the project is, there are still too many bugs. Google is who I'm now starting to wonder about, with all of these unpatchable cell phones because they don't want to support Android 2.3 or 4.1 even though the devices with these versions can't run anything newer.

And then there are the embedded systems, like cars...

--
Do not look into laser with remaining eye.
1. Re:More proof... by cdrudge · 2015-08-10 05:36 · Score: 3, Informative
  
  ...that features will trump security every time.
  
  Is it any different then say apt-get using unsecured http or ftp connections?
  
  Their products are defective and they should be forced to correct those defects. And by correct, I don't mean sell you the newer version of their product. I mean doing real, thorough security analysis before shipping, and supporting previous versions for a long time.
  
  Then you'd never get your product and/or it would be so ridiculously expensive that you couldn't afford it. EVERY major piece of software has bugs. It's a fact of life. Even the Space Shuttle where billions of dollars and decades of time were spent perfecting things still had a few bugs over it's life.
  And how long is "a long time"? Windows 7 will be supported for 11 years, until 2020. XP was released in 2001 and just ended support last year after it was supported for 13 years. The Linux 2.4 branch was released in 2001 and was maintained until 2011. Where's the outrage that it's not still being maintained and supported?
  
  Google is who I'm now starting to wonder about, with all of these unpatchable cell phones because they don't want to support Android 2.3 or 4.1 even though the devices with these versions can't run anything newer.
  Don't blame Google on that. Google continuously updates their software releasing fixes. It's the manufacturers and carriers that refuse to support/update them. It would be like yelling at Linus et al for a kernel bug that Debian or Redhat drags their feet to incorporate into their distributions.
2. Re:More proof... by 0123456 · 2015-08-10 06:17 · Score: 2
  
  Is it any different then say apt-get using unsecured http or ftp connections?
  Yes. Apt doesn't run executables, it extracts .deb files that are signed by the distro key. The worst you could do would be to give the machine a different .deb file to the one it requested, which is potentially problematic (e.g. send an old version that has known security holes), but nowhere near as risky.
  This attack will apparently run any Microsoft-signed executable with any command-line arguments. That's just hilarious.
3. Re:More proof... by DNS-and-BIND · 2015-08-10 08:19 · Score: 2
  
  The cure is worse than the disease. It's worrisome how often leftists decry coercion and tyranny, but happily switch sides and say "they should be forced to" at the drop of a hat. You're comparing some defect-free utopia that exists only in your imagination to the brutal reality of software development. If only more government power could be utilized, we could just FORCE them to comply! That works every time. Yup, concentrating more power in the government has a great record historically and hardly ever leads to negative outcomes.
  PS stop starting your comments in the Subject: line, that's for the subject of your message. Write your comment in the Comment: box. It's disruptive and impedes the flow of a message.
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
4. Re:More proof... by 0123456 · 2015-08-10 09:02 · Score: 2
  
  the scripts are in the deb so the signature also prevent that
  Yes, exactly.
  This hole is a consequence of using random executables as installers, rather than a special installer file type.
If updates are signed... by sinij · 2015-08-10 05:13 · Score: 2

Can someone please explain to me how are they managed to bypass signed update functionality? MitM will not give you magical powers to sign updates with MS key. As a result, the sig check would still fail when you attempt to install inserted update... So it either WSUS and signature check vulnerability, or not a big deal at all.

... and this is why friends shouldn't let friends implement systems with unsigned automatic updates.
1. Re:If updates are signed... by sinij · 2015-08-10 05:26 · Score: 4, Funny
  
  I choose to exercise my /. rights to never read TFA.
Not really a story. by Anonymous Coward · 2015-08-10 05:14 · Score: 2, Insightful

If you already have someone with a MITM on your network, you've already been compromised. The sooner you know it, the better. This is kind of like those stories about some 'hack' someone found that requires keyboard access. If they have keyboard access, you're already sunk.
1. Re:Not really a story. by Lumpy · 2015-08-10 05:35 · Score: 2
  
  Dont need to be ON your network, I just need to be somewhere between you and Microsoft. That gives me a LOT of locations to choose from. Hell some ISP's and backbone operators simply have small sheds out in rural areas that are easily broken into without setting off alarms. Or if you did set off the alarms you have plenty of time to install a small device to do your MITM for you and leave making it look like some kids got bored tipping cows.
  
  --
  Do not look at laser with remaining good eye.