Microsoft Security Advisory (2718704)

Discussion in 'other security issues & news' started by ronjor, Jun 3, 2012.

Thread Status:
Not open for further replies.
  1. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,705
    Location:
    USA
    Re: Microsoft Hardens Windows Update

    Most unfortunately, this abuse of the Windows Update system just provides naysayers with another excuse for not updating... and may in fact have the effect of recruiting even more disenchanted Windows users to their ranks. I won't be one of them, but it seems like it might have this effect on some.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Re: Microsoft Hardens Windows Update

    The attack on Windows Update that The Flame used was very sophisticated (I don't know of another collision attack in the wild?) and was based on MS making a really stupid mistake.

    The cost was already pretty high. With the new measures they're taking I wouldn't expect something like this to happen again.
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Re: Microsoft Hardens Windows Update

    Incidents like this convince me even more that making the install/update process a manually performed administrative task (with each install monitored) was the right decision. When your system relies on and automatically connects to someone elses servers, they become part of your attack surface.

    This does lead to another question that needs to be closely examined. What about the auto-update mechanism of other vendors? How many other update systems are vulnerable? This could potentially include AVs, the auto-updating of browsers and their extensions/plugins, maybe even other operating systems.
     
  4. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,705
    Location:
    USA
    Re: Microsoft Hardens Windows Update

    You're absolutely correct.
    But whatcha gonna do?
    Most of us who run AVs want the most current updates.
    As it is, it has been demonstrated that an AV is not to be solely relied upon, so it at least makes the best sense to have the darn thing as current as possible. There has always been a question in the back of everyone's mind as to whether or not the auto-updating could be compromised.
    Now that likelihood looks that much more possible.
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Re: Microsoft Hardens Windows Update

    Point taken, but what's the alternative? Auto-updating has become so common because people were too lazy to check themselves or wanted to stay off of a new version of software. Hell, there are people still groaning about Mozilla and Chrome auto-updating..the one piece of software most vulnerable to attack. It's hard to win in that department.
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Re: Microsoft Hardens Windows Update

    This was not some simple attack. It involved having a cert out where it shouldn't be an an unprecedented collision attack. Even if other programs are using weak crypto for certs it's not like whipping up a collision is simple.

    The alternative is having a system full of holes and hoping that policy will make up for that - Chrome being hacked should prove that that's not the case. That's policy built from the kernel, strong MAC. It's always just a matter of chaining the right vulns.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Re: Microsoft Hardens Windows Update

    You hit the nail right there, too lazy to check for themselves, a situation made worse by this "do like chrome does" rapid update policy. IMO, this is not allowing adequate time for test these updated versions. As for the alternative, I don't see a good alternative for the casual user. For the kind of users we have here, the alternative is to update manually, monitor the update process, and record the changes it makes. When I decide to update, I make a full system backup first, then install each update individually and watch every step of the process. On more than one occasion I've stopped and upgrade or install when I didn't like what I was seeing, like an app wanting to install a driver when I didn't feel it needed one, or an app that wouldn't install unless I let it call home first.
    I can understand why people groan about it. Broken extensions, settings being changed to their original values, etc. A lot of this updating is as much for marketing as for anything else. It's becoming more common for one of these rapid updates to be immediately followed by another because the first broke something or has some big flaw that was missed.

    Regarding updating a vulnerable attack surface app like the browser, users need to realize that it is vulnerable and potentially exploitable even when it is up to date. The users security policy should acknowledge that. With the proper configuration and application choices, the risk can be largely mitigated so that the user doesn't have to install the updated version the moment it comes out. SandBoxie is one example.
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Re: Microsoft Hardens Windows Update

    You have a lot more trust in certificates that I do, and in a vendors ability to protect them. What you consider to be a strength, I regard as a vulnerability. Instead of a debate that runs the usual course, how about we agree to disagree and save a page or 2?
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Re: Microsoft Hardens Windows Update

    This has nothing to do with the certificate system, which I hate. It's cryptography. Collision attacks are independent of the CA system and creating one is not easy but necessary for the attack.

    I have very little interest in arguing about it.

    I think there isn't really any progress to be had in a conversation that is about whether or not holes in software should be patched. I doubt I could see the other side of it for long enough to make sense of the mindset, which is probably clear given past conversations on the matter.
     
  10. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Not your average day at the office...

    http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Why are people lazy? So, on one hand they're blamed for not updating, on the other hand, blamed for updating... automatically? You folks realize that it isn't just the operating system, but also e-mail clients, web browsers, IM, pdf readers, downloads manager, media players, Office/other, most likely Adobe Flash Player... speaking of which, the recent versions have automatic updates enabled. This is one plugin targeted a lot by cybercriminals, and now that Adobe introduced automatic updates, you call people lazy because they don't manually update? lol

    And, this kind of app, is what I'd imagine to be standard in most systems. Now, imagine people who have more than these "standard" apps installed in their systems. It's simply crazy to think to manually check everything, it's simply unrealistic... unless you got the time to do it.

    I don't even imagine the time it would require to manually check, etc., each update we download. I mean, checking with Virus Total, sandboxes, monitoring changes, etc... Heck... we're better off without computers. :argh:

    There are some things I manually update, but I do let Windows download, and after I choose the updates I want, they're automatically installed. Why should I be called lazy? Maybe you should be attacking those who don't harden their programs, etc., instead. ;)
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This seems to be a choice of words problem. I wasn't referring to the certificate system either. Maybe the proper term escapes me at the moment (CRS) but I was referring to the signing/verification system itself. I consider it vulnerable if not already broken or otherwise compromised. Besides the breaking of or effective forging of these (such as this "collision attack") I would add the potential for theft or mishandling of these certificates, either by the vendor directly or a 3rd party that demands it, NSA for instance. Since it appears that Flame is signed using one of these fake certificates, the 3rd party (mis)use/mishandling looks quite possible.
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    120,768
    Location:
    Texas
    https://blogs.technet.com/b/wsus/ar...ng-of-wsus-now-available.aspx?Redirected=true
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Certificates are independent of the certificate system and CAs.

    It's MD5 that's why collision was possible.
     
  15. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,705
    Location:
    USA
    Thanks for the heads up, Ron!

    Windows Update update.jpg
     
  16. King Grub

    King Grub Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    818
    I am not getting the update for Windows Update yet when I check for updates. o_O
     
  17. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    494
    Location:
    italy
    +1...
     
  18. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    It's apparently due for this months Windows Update batch on Tuesday/Wednesday, not sure how he managed to get it already.
     
  19. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,705
    Location:
    USA
    It also installed on my XP box at the same time.
    I have auto-updating disabled and upon checking manually, both 7 and XP installed it.
    The technet blog quoted by Ron yesterday did say, "This update is now available for download."

     
  20. King Grub

    King Grub Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    818
    They might be phasing it out or deploying it to different areas of the world at different times then. Still not showing for me.
     
  21. King Grub

    King Grub Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    818
    An acquantaince of mine who works for Microsoft support said that Microsoft has withdrawn the Windows Update Agent from the update servers.
     
  22. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,705
    Location:
    USA
    But the acquaintance didn't say why? o_O
     
  23. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,705
    Location:
    USA
    So has the update to further harden the Windows Server Update Services (WSUS) been released along with the rest of them?
     
  24. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    120,768
    Location:
    Texas
    http://support.microsoft.com/kb/894199
     
  25. King Grub

    King Grub Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    818
    Nope. I guess something was wrong with it.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.