Steve Lamb's Blog

Security Matters

Blogs

How does Windows Update guard against "fake updates" trojans et al?

  • Comments 5
  • Likes

A number of people have asked me "can we REALLY trust the Windows Update site? What if it were hacked and fake "updates" were put on for users to download which were actually spyware/viruses/worms and the like? Has it ever been compromised by a 3rd party? Is it possible that it could be? Is it 100% hack free? A lot of computer users rely on this site so would assume all the downloads on there are 100% microsoft - a hacker's dream; 100's of unsuspecting computer users..."

There are a number of precautions taken by the update mechanism to mitigate these threats. But of course I would say that! Specifically the updates are digitally signed (with the private key of the author - held only by the update author), the client machines all have a copy of the public key which can be used to verify that the source of the updates is indeed Windows Update (and not a spoofed site) and that their content has not changed. We use this technique to validate software delivery of both updates and the original software at install time - this is what's mean by the marketing term Authenticode. It's pretty cool as it all happens behind the scenes - the user is only involved if there's a compromise.

 

Comments
  • What digital signature algorithm is used?

  • ok, so what happens when spyware replaces the public key on the computer so that the clinet can not install updates?

  • Kevin> If Spyware "replaces the public key on the computer" then you have a bigger problem - the machine is already "owned" / compromised / wide open as the Spyware would already have SuperUser(Admin / root in the UNIX world) access to your machine!

    This not meant as a flippant response - just being realistic. Many users run as Administrator/root all of the time and therefore any malicious code they accidentally run inherits the same level of privilege. Windows XP(and most UNIXs) provide the means to run as a non-priv user for day to day activities and lets you switch to a privileged account for software installation and system maintenance.

  • I've just written some comments on this topic in my own blog (see link behind my name for the posting).

    Making half a billion people critically dependent on Authenticode, and on a specific code signing key, is not wise. "It's digitally signed" simply isn't sufficient assurance for those of us who see time and time again the faults that occur in software.

    The best defence against unexpected flaws is robustness and simplicity. The Authenticode verification on Microsoft Windows Update is neither robust nor simple.

    It is my strong suspicion that I, personally, were I to devote my spare time for a few months to the problem, could hack Windows Update. My estimation is that there are of the order of a few thousand other people with the same intelligence, mindset, education and experience as me in the world.

    Now, fortunately, I'm a concerned, sane and mainly well-adjusted Windows 2000 user, who won't upgrade to Windows XP because the increased reliance on digital certification alarms him. Were I the kind of amoral hacker geek who could be lured into the employ of Syrian secret services by a couple of suitcases full of $100 bills, this could be a major problem.

    In talking with people over the past few years, I've realised most people don't appreciate just how fragile the edifice might be. While the recent SHA-1 result may open people's eyes, it will also make saboteurs and terrorists sit up and take notice. Microsoft has to act faster than them; by 2010 "it's digitally signed so it's safe" for Authenticode will ring as false as "perfect sound forever" now does about CD.

    The Windows Update code-signing mechanism should have been a trivial concatenation of code lump and signature, using a predetermined algorithm and a predetermined key. Authenticode embedding in executables, ASN.1, X509, CryptoAPI, certification chains and all the rest are dangerous complexity and should have been avoided at all costs.

    After all, the complexity is there so various parameters of the signing system can be changed later, but Microsoft can do that anyway, through the Windows Update mechanism itself!

    This is all textbook stuff, what any good undergraduate course on cryptographic security engineering would teach. (Sadly, most Computer Science degrees don't include such a course.) That Microsoft has so plainly got the fundamentals wrong gives me little confidence that they detail is right.

    There is a clear and present danger to Western civilization from this issue: http://www.ccianet.org/papers/cyberinsecurity.pdf

  • My colleague John Howard recently added a post talking about upgrading the firmware on his wireless router...