Hacker claims he can exploit Windows Update
Microsoft again contends code signing prevents malware installs via update service
Computerworld - The hacker who calls himself "Comodohacker" said this week that he could have used digital certificates stolen from a Dutch firm to issue fake updates to Windows PCs.
If Comodohacker's assertion is accurate, he would have been able to push malware to Windows machines via the operating system's Windows Update service.
Microsoft said that was impossible.
Comodohacker, who claims to be a 21-year-old Iranian, has taken credit for several attacks against certificate authorities, or CAs, the organizations and companies authorized to issue SSL (secure socket layer) certificates. In two of those attacks -- of Comodo in March and more recently of DigiNotar -- certificates were fraudulently generated.
Among the 531 certificates stolen in the hack of Dutch-based DigiNotar were several that could be used to impersonate Microsoft's update services.
Comodohacker said he could exploit those certificates.
"I'm able to issue Windows update[s]," Comodohacker claimed in one of several statements he has posted this week on Pastebin. "Microsoft's statement about Windows Update and that I can't issue such update is totally false!"
Last weekend, Microsoft said that the certificates stolen from DigiNotar weren't enough to deliver actual updates.
"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," said Jonathan Ness, principal development security lead with the Microsoft Security Response Center (MSRC), in a blog post last Sunday. "The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft."
Ness also said that even if a hacker was equipped with a fake certificate, "Windows Update itself is not at risk."
When asked Thursday to comment on Comodohacker's claims, Microsoft would only refer to Ness' earlier remarks.
Comodohacker, however, bragged that, he had "already reversed ENTIRE windows update protocol" and could hijack the service. "I can issue updates via windows update! You see? I'm so smart, sharp, dangerous, powerful, etc.," he claimed.
Hackers would now need a different certificate to imitate Windows Update: The certificates pinched from DigiNotar have been revoked and Microsoft has blocked their use within Windows with an update that shipped Tuesday.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- Pragmatic Endpoint Management: Empowering an SMB Workforce in the Age of Mobility Lacking the time for proper training and education, SMB administrators often resort to taking shortcuts to keep their environment running.This paper discusses the...
- Gartner Magic Quadrant for Application Security The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cybercrime and Hacking White Papers | Webcasts