The lack of encryption opens the door to man-in-the-middle (MitM) attacks, this means that an attacker can inject malicious code in the legitimate traffic, for example replacing software updates with trojanized version of the patch.

The researchers Paul Stone and Alex Chapman explained that attacks against the Windows Server Update Services are very easy to carry on and don’t request high privileges to push malicious updates.

Let’s remember that all update packages available on the Microsoft Update website are digitally signed, a measure used to ensure authenticity and integrity.

However, as explained by the experts the attackers can alter Windows Update by installing malware in the metadata of the update.

“It’s a simple case of a common configuration problem,”“While Microsoft does not enforce SSL for WSUS, it presents the option and most companies will go through this extra stage to use HTTPS. But for those that don’t it presents an opportunity for an administrator to compromise complete corporate networks in one go.” researchers said in the paper.”By repurposing existing Microsoft-signed binaries, we were able to demonstrate that an attacker can inject malicious updates to execute arbitrary commands,” researchers said in the paper.

The experts explained that an attacker can inject malware in the SOAP XML communication between the WSUS server and the client, in this way there is no way for the client to distinguish a legitimate update from a bogus one.

Another element of concern for the Windows update process is that it includes more than 25,000 drivers developed by third-party companies. Potentially each driver could open the door to the hackers due to the presence of security flaws.

“We have started to download and investigate some 2,284 third-party drivers,” said Paul. “Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the ‘searching for Drivers’ and ‘Windows Update’ dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats.”

The researchers demonstrated the attack at the Black Hat 2105 conference in Las Vegas, a detailed paper titled “WSUSpect: Compromising the Windows Enterprise via Windows Update” is available online.

Pierluigi Paganini

(Security Affairs – Windows Server Update Services, Hacking)