News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft using insecure HTTP links to distribute security patches through the Update Catalog

    Home Forums AskWoody blog Microsoft using insecure HTTP links to distribute security patches through the Update Catalog

    Viewing 24 reply threads
    • Author
      Posts
      • #167821 Reply
        woody
        Da Boss

        I didn’t believe it until I saw it. And you can, too. Post coming in Computerworld. Thx, Stefan Kanthak, Günter Born
        [See the full post at: Microsoft using insecure HTTP links to distribute security patches through the Update Catalog]

        6 users thanked author for this post.
      • #167825 Reply
        zeuswoz
        AskWoody Lounger
        • #167902 Reply
          anonymous
          Guest

          Prefixing HTTPS to the URL results in a invalid certificate warning using Waterfox.

          2 users thanked author for this post.
      • #167836 Reply
        Rick59
        AskWoody Lounger

        It seems like MS is just stumbling from one disaster to another.

        My daughter really likes her new pixelbook, but for myself I find the screen too small and I’ve never been a big fan of laptop keyboards and touchpads. It still is a very nice laptop that oozes high quality and I believe will get a fair number of buyers.

        Looks like ASUS is brnging out a new chromebox some time this year

        https://www.androidheadlines.com/2018/01/hands-on-with-the-new-asus-chromebox-3-ces-2018.html

        Looks interesting and could be a serious option for myself. Just hoping I get a Meltdown patch soon for my Win7-32 machine and then I could wait for the new chromebox. If not and real world exploits start showing up I might have to look at an Apple product.

      • #167839 Reply
        zero2dash
        AskWoody Lounger

        I’m curious what the point is in this kerfuffle, other than it’s not a great idea (which is par for the course with MS).
        Short of a MITM attack/circumvention, what exactly is the paranoia over?
        I don’t recall seeing mass hysteria over sites using FTP instead of SFTP, so why exactly is using HTTP instead of HTTPS any different?

        1 user thanked author for this post.
        • #167877 Reply
          OscarCP
          AskWoody Plus

          Phishing? Fake, Trojan “updates” bearing viruses, worms?

          Maybe the PC has to be already compromised by a preliminary infestation with malware opening the way to the one in the HTTP address?

          How much of a protection really is HTTPS these days?

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

          • #167909 Reply
            zero2dash
            AskWoody Lounger

            I’m not disagreeing that there can be issues, but in the context of this and whether or not it will cause users issues, the odds are (and I’d say they’re favorable odds) are that it won’t.

            Riddle me this: what prototypical uneducated PC owner/user is downloading Windows Updates piecemeal from somewhere other than Windows Update?

            The answer of course is “no one”. Anyone capable of downloading updates from the Microsoft Catalog is going to be a novice techie (at worst). Such a person is not going to be easily fooled by any of the potential issues that you listed.

            This seems very much like a clickbait article to me. Mission accomplished, I guess.

            1 user thanked author for this post.
            • #167916 Reply
              woody
              Da Boss

              It’s easy for me to imagine being attached to a network (or accessing the Catalog from a country) where MitM attacks are straightforward — and very hard to detect.

              5 users thanked author for this post.
            • #168060 Reply
              lurks about
              AskWoody Plus

              HTTP connections are vulnerable to MTM attacks and I would think someone who is trying one might find Windows updates via HTTP an interesting way to try one.

              HTTPS connections are encrypted and rely on a handshake between the browser and server. Once established MTM attacks become almost impossible if the proper protocols are used. About the only reliable to attack an HTTPS connection is to fool the user into initially connecting to a rogue site; more of a social engineering problem than a technical one.

      • #167841 Reply
        gborn
        AskWoody_MVP

        A few more details may be read within my blog post Microsoft delivers updates via HTTP & more security obscurity

        Microsoft Windows Insider MVP, Microsoft Answers Community Moderator, Blogger, Book author

        https://www.borncity.com/win/

        5 users thanked author for this post.
      • #167858 Reply
        The Surfing Pensioner
        AskWoody Plus

        Wah-hay! Does that mean that we put ourselves at risk of viral infection merely by downloading updates from the Catalog? Any more for Group W?

        • #168020 Reply
          gborn
          AskWoody_MVP

          I guess, the risk for private user is minimal. But it’s probably an attack vector, that should be discussed at least.

          Microsoft Windows Insider MVP, Microsoft Answers Community Moderator, Blogger, Book author

          https://www.borncity.com/win/

          1 user thanked author for this post.
        • #168051 Reply
          MrJimPhelps
          AskWoody_MVP

          I’m in Group L – Linux Mint!

          Group "L" (Linux Mint)
          with Windows 8.1 running in a VM
          2 users thanked author for this post.
          • #168167 Reply
            Jan K.
            AskWoody Lounger

            Sorry, buddy, but Group L ™ has been taken!

            And it’s more a kind of attitude towards life than being OS related…

            .

            May I suggest Group M for Mint!

      • #167855 Reply
        anonymous
        Guest

        As far as I can tell, Windows Update has been doing the same thing for a long while now.

        4 users thanked author for this post.
      • #167872 Reply
        anonymous
        Guest

        Where is this Mass Hysteria?

        There is the expectation that a tech company would choose HTTPS for a website that is regularly accessed by their customers for downloads, especially MSIs. It has taken many people by surprise that Microsoft has chosen not to. You may recall that it was just a year ago that they had to remove Active X from this site.

        in 2018, Google and Firefox are issuing ‘insecure’ notices for sites that are not HTTPS, whereas Edge and IE do not. Considering that the vast majority of users do not use Microsoft’s browsers, the HTTP designation for the MS Catalog site is a major inconvenience for MS users. This is an immature game that results in zero winners.

        • #167962 Reply
          WildBill
          AskWoody Plus

          in 2018, Google and Firefox are issuing ‘insecure’ notices for sites that are not HTTPS, whereas Edge and IE do not. Considering that the vast majority of users do not use Microsoft’s browsers, the HTTP designation for the MS Catalog site is a major inconvenience for MS users. This is an immature game that results in zero winners.

          I’m using Firefox & haven’t gotten any ‘insecure’ notices for http sites… Yet. Maybe Firefox will start about the same time Chrome does later this year. Some people may call this clickbait & promoting hysteria, but Woody & others are right; a popular http patch could be hacked & Who Would Know? Methinks Google will be doing this to troll Microsoft; still, not best practices at work in Redmond, IMO.

          Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V2004. As long as it's a Lot Less Buggy!
          Wild Bill Rides Again...

      • #167885 Reply
        geekdom
        AskWoody Plus

        Isn’t that an oxymoron?

        G{ot backup} TestBeta
        offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 WindowsDefender
        online▸ Win10Pro 1909.18363.1082 x64 i5-9400 RAM16GB HDD Firefox81.0 WindowsDefender
        TargetReleaseVersion=1909
        WUMgr
      • #167888 Reply
        MrBrian
        AskWoody_MVP

        If anyone is curious if using Windows Update itself is secure, here are some links:

        Are Windows Updates susceptible to tampering, eg. using a MiTM attack

        Windows Update – Interception

         

        There have been Windows updates that address the security of using Windows Update:

        Researchers reveal how Flame fakes Windows Update

        Unauthorized digital certificates could allow spoofing

         

        6 users thanked author for this post.
        • #168746 Reply
          MrBrian
          AskWoody_MVP

          In response to the Flame malware, Microsoft also did this: From Update to Windows Update, WSUS Coming This Week (2012): “Our hardening introduces two defense-in-depth changes.  First, we have further hardened the Windows Update infrastructure so that the Windows Update client will only trust files signed by a new certificate that is used solely to protect updates to the Windows Update client. Second, we are strengthening the communication channel used by Windows Update in a similar way.”

          3 users thanked author for this post.
      • #167893 Reply
        MrBrian
        AskWoody_MVP

        Woody’s article: Microsoft is distributing security patches through insecure HTTP links.

        3 users thanked author for this post.
      • #167910 Reply
        AJNorth
        AskWoody Plus

        Hindenburg

        Attachments:
        6 users thanked author for this post.
      • #167935 Reply
        anonymous
        Guest

        This doesn’t seem like a problem to me.  All the updates have to be signed by Microsoft.  It doesn’t matter how they are downloaded.  It is completely beside the point.  An unsigned or tampered file won’t work.

        2 users thanked author for this post.
        • #167943 Reply
          anonymous
          Guest

          Agreed, and also with the click bait comment above.

          Since all Microsoft updates are signed, they are tamper-proof and thus secure regardless of whether the transport is secure. What additional benefit would using HTTPS offer? Absolutely nothing, it would just waste CPU performance.

          WSUS also requires both HTTP and HTTPS ports, this is well documented:
          “WSUS also uses SSL to encrypt metadata passed between clients and downstream WSUS servers. Note that WSUS only uses SSL for metadata. This is also the way Microsoft Update distributes updates.
          As discussed earlier in this guide, updates consist of two parts: metadata that describes what an update is useful for, and the files to install the update on a computer. Microsoft mitigates the risk of sending update files over an unencrypted channel by signing each update. In addition to signing each update, a hash is computed and sent with the metadata for each update. When an update is downloaded, WSUS checks the digital signature and hash. If the update has been tampered with, it is not installed.”

          Edit to remove HTML
          Please convert to plain text (.txt) before cut/paste

          2 users thanked author for this post.
          • #167965 Reply
            MrBrian
            AskWoody_MVP

            From New Paper Released: WSUSpect – Compromising the Windows Enterprise via Windows Update (2015):

            “Today, we released a paper titled ‘WSUSpect – Compromising the Windows Enterprise via Windows Update’ which accompanies the talk presented by two of our senior researchers at Black Hat USA 2015.

            The presentation demonstrates how Windows Update can be abused for internal attacks on corporate networks by exploiting insecurely configured enterprise implementations of Windows Server Update Services (WSUS).”

            4 users thanked author for this post.
          • #168013 Reply
            gborn
            AskWoody_MVP

            Since all Microsoft updates are signed, they are tamper-proof and thus secure regardless of whether the transport is secure.

            That was my first thought. But did you read my addendum here?

            Tested: Windows accepts altered updates …

            Within my German blog post, a reader did a simple test. He downloaded an update package via Microsoft Update Catalog. Then he used Notepad++ to edit some strings within the update package. The saved package is flagged ‘as modified’ on digital signature property page. But Windows accept this update and install it.

            I guess (haven’t tested it), the digitale signatur proof check will be executed for .cabs included. The post from Mr. Brian below indicates, that some parts are checked and others not.

            So: Overall I guess, it’s a ‘non optimal’ solution, Microsoft decides to use (nicely spoken). Well, we can discuss about http versus https. But then explain, why they offer kb articles via https, while downloads from http download links are redirected to https pages – and Update Catalog downloads still shipped via http.

            Microsoft Windows Insider MVP, Microsoft Answers Community Moderator, Blogger, Book author

            https://www.borncity.com/win/

            3 users thanked author for this post.
            • #168024 Reply
              Noel Carboni
              AskWoody_MVP

              Why?

              A reason might be that it takes computer power to encrypt large blocks of data. That translates to money when running a network that’s tasked with delivering an unprecedented amount of data. Let’s not forget, with concepts like “cumulative” and “6 month major release cycles” dawning, updates are working out to hundreds of megabytes to gigabytes apiece. We’re all becoming numb to mega/giga/tera but it’s an unprecedented large network and server load – by a lot.

              Many folks have more computer power than they need, and they might prefer an https: connection vs. http: on general principles but it comes at a price, however intangible.

              And lo and behold right when content delivery networks could use more capacity, now servers are becoming less efficient than ever, with their mitigations for newly “discovered” vulnerabilities going in.

              Why invite / create problems on purpose? It’s not hard to imagine there are those who benefit from people throwing money at their problems.

              But even if it’s not planned, insecure computing and networking are where we came from. The only thing people thought https: was good for just a few scant years ago was specific important transactions. Who worried about such things as “Man In The Middle” attacks when it seemed ridiculously expensive/difficult to do, and backups were smaller and easier to restore? Now the data we use to manage our lives is becoming huge, and more valuable than ever – and the bad guys share their software via the same web…

              -Noel

              1 user thanked author for this post.
        • #167963 Reply
          MrBrian
          AskWoody_MVP

          As a test, I altered a downloaded .msu file with a hex editor, and then attempted to install it. The install was aborted with error “Installer encountered an error: 0x8007000d   The data is invalid.”

          5 users thanked author for this post.
          • #168015 Reply
            gborn
            AskWoody_MVP

            See my addendum one post above. It seeems that you altered a cab file.

            Microsoft Windows Insider MVP, Microsoft Answers Community Moderator, Blogger, Book author

            https://www.borncity.com/win/

            4 users thanked author for this post.
            • #168157 Reply
              anonymous
              Guest

              MSU files are special cabinet files signed with two certificates.

      • #167955 Reply
        SkipH
        AskWoody Plus

        Just did a Google search for “Microsoft Update Catalog” using Chrome.

        Clicked on the 1st site found, “Microsoft Update Catalog” (https://catalog.update.microsoft.com), get the following ‘web page’:

        Linked-to-from-a-Google-search-in-Chrome

        I made a shortcut a long time ago to the MS Update Catalog site using:

        https://www.catalog.update.microsoft.com/home.aspx

        and it works fine, brings up the non-ActiveX web site in IE 11 or Chrome. (more on that in a following post)

        Attachments:
        3 users thanked author for this post.
      • #167959 Reply
        SkipH
        AskWoody Plus

        @”anonymous’ in post # 167872:

        Then did a Google search for “Microsoft update catalog” in IE 11 (brings up the same results as in Chrome).

        Click on the 1st result “Microsoft Update Catalog” and get the following web site:

        MS-Update-Catalog-site-wanting-to-install-ActiveX

        The URL of the above web page is:

        https://catalog.update.microsoft.com/v7/site/Install.aspx

        So, there’s multiple ways to kind of get to the MS Update Catalog site, and at least one of them still wants to install ActiveX in IE 11.  Seems ActiveX is still alive on the above web page. I’ve never installed it, so use the ‘other’ way to get to the Update catalog site.

        Very confusing.

         

        Attachments:
        2 users thanked author for this post.
      • #167971 Reply
        anonymous
        Guest
      • #167997 Reply
        anonymous
        Guest

        1) Microsoft Update Catalog: https://www.catalog.update.microsoft.com

        All file download links at the above are served via HTTP, ever since the catalog was launched. If we manually switch the download link from HTTP to HTTPS, the download will fail. The browser would warn about an untrusted connection, with details such as “download.windowsupdate.com uses an invalid security certificate“.

        2) Microsoft Download Center: https://download.windowsupdate.com

        From what I noticed, numerous file download links posted since years ago at the above are randomly served via HTTP. That is, some download links are in HTTPS, but some are in HTTP. But we can manually switch the download link from HTTP to HTTPS, & still fetch the file.

        As such, if Microsoft has any intention of making its file downloads more secure for users, it needs to not only fix portal (1), but also the random HTTP download links at portal (2).

        1 user thanked author for this post.
      • #168022 Reply
        anonymous
        Guest

        In the Computerworld article, it says: “Now flip over to the KB 4087256 article” but the link is https://support.microsoft.com/en-us/help/4074588

        I guess that KB 4087256 is renamed to KB 4074588?

        • #168097 Reply
          woody
          Da Boss

          My bad. But the principle remains.

      • #168041 Reply
        abbodi86
        AskWoody_MVP

        This sudden hysteria would more understandable if it was directed towards Windows Update, which have been and still and will continue to deliver all updates via HTTP
        the MU catalog links are just a mirror of WU links

        the sha1 hash appended to each file name will prevent any tampering

        MS-DEFCON 4: Time to get November Windows and Office patches applied

        even the new Windows 10 UUP and Delivery Optimization links are HTTP

        with all due respect, HTTPS is overrated in this context

        BTW, i pointed that long time ago, although not very clear 😀

        MS-DEFCON 4: Time to get November Windows and Office patches applied

        6 users thanked author for this post.
      • #168054 Reply
        gborn
        AskWoody_MVP

        Microsoft Update Catalog is not broken catalog.update.microsoft.com is the IE-activex front-end http://www.catalog.update.microsoft.com is the non-activex front-end (for IE and other browsers)

        That’s what also some German users told me, but …

        I mentioned it within my German comment – just try the two tests below.
        http://www.catalog.update.microsoft.com
        catalog.update.microsoft.com

        The last link shows ‘Server negotiated HTTP/2 with blacklisted suite’ (btw also for IE 11 and Edge under Windows 10). I would say, it’s some misconfigured servers, probably.

        Microsoft Windows Insider MVP, Microsoft Answers Community Moderator, Blogger, Book author

        https://www.borncity.com/win/

        3 users thanked author for this post.
      • #168101 Reply
        woody
        Da Boss

        I received this email from Stefan Kanthak (whom I hope will join us here), slightly edited:

        My point is NOT with Windows Update/Automatic Update, but with a MitM attacker who serves bogus updates. Yes, WU/AU will reject the altered updates. But an administrator who notices the WU/AU failure might be tempted to fetch the failed updates manually … and fall prey to a bogus one.

        An especially trivial example is the Security Update for CAPICOM (KB931906) The EXE file is a properly signed but vulnerable executable (there are of course quite some more of this kind), which may be served by a MitM attacked instead of the requested update.

        Executables are not fed to WUSA.exe, DISM.exe, CBS or the Windows Microsoft Installer which will check their signature and deny to process bogus updates. A double-click on this .EXE will come up with an UAC prompt which
        says “I’m from Microsoft”. To go from there, look at my FD and BugTraq posts about IExpress or 931906 or CAPICOM on how to proceed.

        Yes, this is an INDIRECT exploit; but it’s an exploit. And then there are updates which are NOT distributed through WU/AU, but only via Microsoft Update Catalog, for example KB3127754.

        2 users thanked author for this post.
        • #168103 Reply
          woody
          Da Boss

          I don’t claim to be an expert at Windows Update internals, but here’s my concerned-layman’s take:

          Both the “HTTPS should be there” and the “HTTP is good enough” factions have points in their favor. There doesn’t appear to be a direct attack vector the way things stand, but the potential is there for an unfortunate admin (or user) to shoot themselves in the foot.

          I think MS should be moving to use HTTPS links exclusively for all of their security patches, even if there’s a performance hit. Not because there’s a known threat. But because the threat’s potentially very large — and the rewards potentially huge.

          2 users thanked author for this post.
          • #168109 Reply
            anonymous
            Guest

            Raymond Chen discusses this category of ‘security hole’ frequently on his blog.

            It goes “it rather consists of being on the other side of this airtight hatchway,” which is his way of saying that if your admin(or user) is such a clueless chap that he downloads and installs malware, THAT is your problem.  You can not claim a security defect when everything is working exactly as designed.

            The default arrangement is that the downloaded executable is going to require UAC approval, and when it does, it will indicate the program is signed by XYZ or not signed.  If it doesn’t say Microsoft, you don’t run it!  Any steps beyond that are social engineering, and are not fixable by the software.  Microsoft issues these certificates, so they are presumably on the lookout for any attempts to fool people, and they can revoke certificates also.

            2 users thanked author for this post.
            • #168513 Reply
              anonymous
              Guest

              Anon #168109 said:
              The default arrangement is that the downloaded executable is going to require UAC approval, and when it does, it will indicate the program is signed by XYZ or not signed.  If it doesn’t say Microsoft, you don’t run it!

              The above strategy is not foolproof. Even if the program is signed with a genuine Microsoft signature, it doesn’t necessarily imply that it is safe to run. Genuine software vendor digital signatures can be created from stolen private keys, such as in the following example.

              https://www.symantec.com/connect/blogs/stux-be-you
              21 Sep 2010
              Back in July we saw the Stuxnet worm targeting industrial control systems. The Stuxnet authors stole the digital signatures of two Taiwanese chip makers and used them on the rootkit employed by the worm. Just how they were getting their hands on the private keys needed to steal the signatures remains a missing piece of the Stuxnet puzzle.

              In order to digitally sign a binary, you must have a private key. If attackers can gain possession of the key they can steal the key owner’s signature; therefore, the owner of the private key should ensure that it remains private. Somehow, these private keys were stolen and used by the Stuxnet authors to sign the rootkit in order to ensure that it would be loaded by Windows Vista and Windows 7.

              Obtaining a private key for a digital certificate may not be as difficult as one imagines. Infostealer.Nimkey is an example of a threat that steals PKCS#12 public key certificate files. PKCS#12 certificates are different from ordinary public key certificates—they can contain not only public keys but private keys, too.

              And there are precedences for forged Microsoft certificates, such as the following incident:

              Unauthentic “Microsoft Corporation” Certificates (22 Mar 2001)
              https://www.cert.org/historical/advisories/CA-2001-04.cfm

              On January 29 and 30, 2001, VeriSign, Inc. issued 2 certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates will appear to be legitimately signed by Microsoft when, in fact, it is not.

              Although users who try to run code signed with these certificates will generally be presented with a warning dialog, there will not be any obvious reason to believe that the certificate is not authentic.

              This issue presents a security risk because even a reasonably cautious user could be deceived into trusting the bogus certificates, since they appear to be from Microsoft. Once accepted, these certificates may allow an attacker to execute malicious code on the user’s system.

              Competent blackhats can probably create their own certificate & label it “Microsoft” to deceive users who don’t go to the trouble of checking the certificate’s signature against the known Microsoft signature. And many (if not most) end-users do not have the habit, patience or know-how to conduct proper signature checks by cross-checking serial numbers & validity dates for every executable file.

              1 user thanked author for this post.
        • #168117 Reply
          ch100
          AskWoody_MVP

          Woody, this in theory is accurate and well-known for many years.
          But let’s take a more practical view here and also see Noel’s post for this.
          A significant number of patches are released due to public hysteria in relation to this sort of vulnerabilities which have little practical relevance. For a limited number of organisations they are relevant though. 🙂
          A man in the middle attack inside of an organisation require an attacker with elevated access inside of the organisation. As per the post, in this specific situation, it also require an unsuspecting administrator who would install cracked software manually bypassing the safeguards built into the software.
          How secure is that organisation’s internal network in such a situation? Are there bigger problems there than the possibility of installing cracked updates?

        • #168892 Reply
          MrBrian
          AskWoody_MVP

          “Executables are not fed to WUSA.exe, DISM.exe, CBS or the Windows Microsoft Installer which will check their signature and deny to process bogus updates.”

          If the type of file downloaded from the Catalog is a .exe file, I believe that it’s safer to install the update via Windows Update (if available) than to download and install it manually, due to the additional Windows Update infrastructure changes that Microsoft introduced in 2012. Feedback on my assertion is welcome :).

          • #168896 Reply
            PKCano
            Da Boss

            Would one example of this is using WU to update .NET through the Rollups instead of downloading and installing the .exe files that some versions use?

            • #168907 Reply
              MrBrian
              AskWoody_MVP

              Yes. If my assertion is correct, then for Windows 7 and 8.1 users, with only the issue in this topic used as criteria, then Group A is safer than Group B.

      • #168116 Reply
        MrBrian
        AskWoody_MVP

        This is related info that might be worth its own topic: From OEM Updaters put PCs at risk (2016): “A study by Duo Security, Inc suggests that OEM Updaters, programs designed by PC manufacturers to update vendor-specific software, do more harm than good as they put PCs at risk.”

        2 users thanked author for this post.
        • #168135 Reply
          Noel Carboni
          AskWoody_MVP

          Manufacturers have struggled for a long time to find good that could be delivered from “the cloud”.

          Hard looks at all cloud or network-contacting services are warranted.

          Sure, with the cloud “sharing” is easy, getting a weather report is seamless, getting more software than you can possibly want is a given – yet amazingly along with that comes the increased probability of “being violated”.

          It long been said that if you use Windows long enough, it will slow down more and more over time until it becomes unusable. That’s not an inherent issue with Windows or its registry or whatever. It’s because almost every software package almost invariably tries to install some extra helpful services or scheduled jobs – and I’m not even talking about big stuff like Adobe’s Creative Cloud which practically takes over your entire system with dozens of components. Run of the mill programs often want to install their services that will watch for updates, for example. Eliminate all that and lo and behold Windows can actually be run forever and maintain efficiency. I’ve done it.

          I just looked at the first page of my Autoruns display, “Everything” tab, and much more stuff is unchecked than is checked (not to mention the amount of unchecked boxes in the Scheduled Tasks section).

          -Noel

          2 users thanked author for this post.
      • #168162 Reply
        Fred
        AskWoody Plus

        WHAHAHA the never ending story…… ??

        ~ ~ ~
      • #168422 Reply
        Kirsty
        Da Boss

        An interesting page on MSI malware has just been published on isc.scan.edu:

        Malware Delivered via Windows Installer Files

        Published: 2018-02-17
        Last Updated: 2018-02-17 09:06:35 UTC
        by Xavier Mertens (Version: 1)

        For some days, I collected a few samples of malicious MSI files. MSI files are Windows installer files that users can execute to install software on a Microsoft Windows system. Of course, you can replace “software” with “malware”. MSI files look less suspicious and they could bypass simple filters based on file extensions like “(com|exe|dll|js|vbs|…)”. They also look less dangerous because they are Composite Document Files…

         
        Read the full article here

        4 users thanked author for this post.
      • #169233 Reply
        woody
        Da Boss

        Microsoft engineer extraordinaire Michael Niehaus sent me this synopsis privately. It’s reprinted here with permission:

        The updates are Authenticode-signed and validated by the OS, so a man-in-the-middle attack is impossible – any tampering done to the payload will be detected by the OS, causing the entire payload to be rejected.

        That’s kind of like saying “Kerberos is insecure because it doesn’t use HTTPS” – nope, it signed the payload and validated the signature…

        So you’re making a big fuss over nothing.

        So I asked him about the attack vector raised by Kanthak, earlier in this thread. His response:

        All Windows updates are Authenticode-signed; they can’t be tampered with.  WU/WUSA/DISM will reject them.  Even if you manually download them, they are still signed and can’t be tampered with.

        As for executables, they are also Authenticode-signed.  Windows will tell you that they are untrusted at worst, and in many cases reject them due to an invalid signature, although if you try hard enough you can probably bypass all the warnings.  But these aren’t Windows updates.

        There are many easier ways than a MitM attack to get people to download bad things ?

        He certainly has a point!

        4 users thanked author for this post.
        • #169251 Reply
          MrBrian
          AskWoody_MVP

          “But these aren’t Windows updates”

          Some updates in the Catalog are available as executables.

          2 users thanked author for this post.
    Viewing 24 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Microsoft using insecure HTTP links to distribute security patches through the Update Catalog

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.