Microsoft Security Advisory (2718704)

Re: Microsoft Hardens Windows Update

Most unfortunately, this abuse of the Windows Update system just provides naysayers with another excuse for not updating... and may in fact have the effect of recruiting even more disenchanted Windows users to their ranks. I won't be one of them, but it seems like it might have this effect on some.

 

Re: Microsoft Hardens Windows Update

The attack on Windows Update that The Flame used was very sophisticated (I don't know of another collision attack in the wild?) and was based on MS making a really stupid mistake.

The cost was already pretty high. With the new measures they're taking I wouldn't expect something like this to happen again.

 

Re: Microsoft Hardens Windows Update

Incidents like this convince me even more that making the install/update process a manually performed administrative task (with each install monitored) was the right decision. When your system relies on and automatically connects to someone elses servers, they become part of your attack surface.

This does lead to another question that needs to be closely examined. What about the auto-update mechanism of other vendors? How many other update systems are vulnerable? This could potentially include AVs, the auto-updating of browsers and their extensions/plugins, maybe even other operating systems.

 

Re: Microsoft Hardens Windows Update

You're absolutely correct.
But whatcha gonna do?
Most of us who run AVs want the most current updates.
As it is, it has been demonstrated that an AV is not to be solely relied upon, so it at least makes the best sense to have the darn thing as current as possible. There has always been a question in the back of everyone's mind as to whether or not the auto-updating could be compromised.
Now that likelihood looks that much more possible.

 

Re: Microsoft Hardens Windows Update

Point taken, but what's the alternative? Auto-updating has become so common because people were too lazy to check themselves or wanted to stay off of a new version of software. Hell, there are people still groaning about Mozilla and Chrome auto-updating..the one piece of software most vulnerable to attack. It's hard to win in that department.

 

Re: Microsoft Hardens Windows Update

This was not some simple attack. It involved having a cert out where it shouldn't be an an unprecedented collision attack. Even if other programs are using weak crypto for certs it's not like whipping up a collision is simple.

The alternative is having a system full of holes and hoping that policy will make up for that - Chrome being hacked should prove that that's not the case. That's policy built from the kernel, strong MAC. It's always just a matter of chaining the right vulns.

 

Re: Microsoft Hardens Windows Update

You hit the nail right there, too lazy to check for themselves, a situation made worse by this "do like chrome does" rapid update policy. IMO, this is not allowing adequate time for test these updated versions. As for the alternative, I don't see a good alternative for the casual user. For the kind of users we have here, the alternative is to update manually, monitor the update process, and record the changes it makes. When I decide to update, I make a full system backup first, then install each update individually and watch every step of the process. On more than one occasion I've stopped and upgrade or install when I didn't like what I was seeing, like an app wanting to install a driver when I didn't feel it needed one, or an app that wouldn't install unless I let it call home first.

I can understand why people groan about it. Broken extensions, settings being changed to their original values, etc. A lot of this updating is as much for marketing as for anything else. It's becoming more common for one of these rapid updates to be immediately followed by another because the first broke something or has some big flaw that was missed.

Regarding updating a vulnerable attack surface app like the browser, users need to realize that it is vulnerable and potentially exploitable even when it is up to date. The users security policy should acknowledge that. With the proper configuration and application choices, the risk can be largely mitigated so that the user doesn't have to install the updated version the moment it comes out. SandBoxie is one example.

 

Re: Microsoft Hardens Windows Update

You have a lot more trust in certificates that I do, and in a vendors ability to protect them. What you consider to be a strength, I regard as a vulnerability. Instead of a debate that runs the usual course, how about we agree to disagree and save a page or 2?

 

Re: Microsoft Hardens Windows Update

This has nothing to do with the certificate system, which I hate. It's cryptography. Collision attacks are independent of the CA system and creating one is not easy but necessary for the attack.

I have very little interest in arguing about it.

I think there isn't really any progress to be had in a conversation that is about whether or not holes in software should be patched. I doubt I could see the other side of it for long enough to make sense of the mindset, which is probably clear given past conversations on the matter.

 

Not your average day at the office...

http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/

 

Why are people lazy? So, on one hand they're blamed for not updating, on the other hand, blamed for updating... automatically? You folks realize that it isn't just the operating system, but also e-mail clients, web browsers, IM, pdf readers, downloads manager, media players, Office/other, most likely Adobe Flash Player... speaking of which, the recent versions have automatic updates enabled. This is one plugin targeted a lot by cybercriminals, and now that Adobe introduced automatic updates, you call people lazy because they don't manually update? lol

And, this kind of app, is what I'd imagine to be standard in most systems. Now, imagine people who have more than these "standard" apps installed in their systems. It's simply crazy to think to manually check everything, it's simply unrealistic... unless you got the time to do it.

I don't even imagine the time it would require to manually check, etc., each update we download. I mean, checking with Virus Total, sandboxes, monitoring changes, etc... Heck... we're better off without computers.

There are some things I manually update, but I do let Windows download, and after I choose the updates I want, they're automatically installed. Why should I be called lazy? Maybe you should be attacking those who don't harden their programs, etc., instead.

 

This seems to be a choice of words problem. I wasn't referring to the certificate system either. Maybe the proper term escapes me at the moment (CRS) but I was referring to the signing/verification system itself. I consider it vulnerable if not already broken or otherwise compromised. Besides the breaking of or effective forging of these (such as this "collision attack") I would add the potential for theft or mishandling of these certificates, either by the vendor directly or a 3rd party that demands it, NSA for instance. Since it appears that Flame is signed using one of these fake certificates, the 3rd party (mis)use/mishandling looks quite possible.

 

Certificates are independent of the certificate system and CAs.

It's MD5 that's why collision was possible.

 

Thanks for the heads up, Ron!

 

I am not getting the update for Windows Update yet when I check for updates.

 

+1...

 

It's apparently due for this months Windows Update batch on Tuesday/Wednesday, not sure how he managed to get it already.

 

It also installed on my XP box at the same time.
I have auto-updating disabled and upon checking manually, both 7 and XP installed it.
The technet blog quoted by Ron yesterday did say, "This update is now available for download."

 

They might be phasing it out or deploying it to different areas of the world at different times then. Still not showing for me.

 

An acquantaince of mine who works for Microsoft support said that Microsoft has withdrawn the Windows Update Agent from the update servers.

 

But the acquaintance didn't say why?

 

So has the update to further harden the Windows Server Update Services (WSUS) been released along with the rest of them?

 

Nope. I guess something was wrong with it.