New Paper Released: WSUSpect – Compromising the Windows Enterprise via Windows Update
Today, we released a paper titled 'WSUSpect – Compromising the Windows Enterprise via Windows Update' which accompanies the talk presented by two of our senior researchers at Black Hat USA 2015.
The presentation demonstrates how Windows Update can be abused for internal attacks on corporate networks by exploiting insecurely configured enterprise implementations of Windows Server Update Services (WSUS).
“It’s a simple case of a common configuration problem,” says Paul Stone, one of our senior researchers presenting at Black Hat. “While Microsoft does not enforce SSL for WSUS, it presents the option and most companies will go through this extra stage to use HTTPS. But for those that don’t it presents an opportunity for an administrator to compromise complete corporate networks in one go.”
Organisations can quickly find out if they are vulnerable by checking the WSUS group policy settings, while it is possible to check if an individual machine is incorrectly configured by looking at the appropriate registry keys. If the URL does not start with https, then the computer is vulnerable to the injection attack.
While following Microsoft’s guidelines to use SSL for WSUS will protect against the described attacks, our researchers also suggest that there are further ‘defence in depth’ mitigations that could be implemented by Microsoft to provide further protection.
“Using a separate signing certificate for Windows Update would increase protection and the update metadata itself could be signed by Microsoft to prevent tampering,” says Alex Chapman, senior researcher and joint presenter at Black Hat. “Signing the tags that contain the main detail of the updates with a Microsoft certificate would avoid the necessity of setting up a trust relationship between the client and WSUS server.”
During the presentation, our researchers also raise concerns about third-party drivers installed via Windows update. There are over 25,000 potential USB drivers that can be downloaded – although this list includes many duplicates, generic drivers and obsolete versions.
“We have started to download and investigate some 2,284 third-party drivers,” said Paul. “Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the 'searching for Drivers' and ‘Windows Update’ dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats.”
A detailed paper to accompany the Black Hat presentation entitled ‘Compromising the Windows Enterprise via Windows Update’ can be downloaded here.