Lots of comments under the article. https://arstechnica.com/security/20...-software-updates/?comments=1&comments-page=1
From that same article. This is why I think it stinks that they didn't add DoH to Windows 10. Windows 10 Insider builds had it until they released Windows 11 and then they decided 10 would not get it.
So, if I understand, and I'm not sure that I do, using a VPN plus the DNS provided by the VPN service would thwart this attack?
As long as whatever service you were using encrypted the DNS traffic you would be good. Most VPN connections should do that.
What if all users would have DoH? I guess attackers would try to reroute some traffic other way. Ultimately the only way to prevent MitM attack completly is to provide signed updates by program developers, and do signature verification like Gnu/Linux package managers apt or zypper or yum do. I guess Microsoft Store does that internally, but Microsoft fails to acknowledge that most of its userbase do not use Store for every app, so there is strong need to provide free of charge, Windows built-in, not-store-connected centralized program update mechanism. Some people at Microsoft for sure understand that, but don’t see bussiness value most likely...
They already wrote the code. They should have just released it instead of withholding it to get people to upgrade to an OS that most people could not run on their current hardware. Signature verification as you describe sounds great, but would require a coordinated effort by everyone involved so it likely won't happen soon. Why not at least make the bad guys work a little harder in the mean time?
Eventually it requires systemic solution, especially in todays world of supply chain attacks. DoH is certainly a controversial thing. Things like DoH, DNSCrypt etc are only protecting last mile unlike DNSSEC or update signatures. They also decrease decentalization by introducing a couple of big players in place of many small ones operated by ISPs. If one big player goes down, technically or economically then large part of Internet is going down. I was talking about rerouting traffic, but I guess there is easier way. Just infect the router of targetted user and reject packets to popular DoH operators. Then contact the user and persuade them to setup malicious DoH IPs in Windows configuration. Profit? If everygoes right then most current AVs (all?) won't be able to distinguish that traffic from regular web browsing thus not alert about malicious domain resolution.
Didn't know DoH was such a big deal. But if I understood correctly, this attack would have only worked if apps were using auto-update right? I always download full installers, but of course they could also be trojanized. But that wasn't the case in this particular attack. That's why behavior blocking tools that can assist AV's are so important. AV's are often blind to these kind of advanced attacks.
