View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Windows Update poses threat to corporate networks

Researchers claim any updates from a WSUS server using a non-HTTPS URL are vulnerable.

By CBR Staff Writer

Windows Update can be misused to attack corporate networks through exploitation of insecurely configured enterprise implementations of Windows Server Update Services (WSUS), security researchers have claimed.

WSUS allows admins to co-ordinate software updates to servers and desktops throughout their organisations, but the Microsoft default install for WSUS is to use HTTP and not SSL-encrypted HTTPS delivery.

By exploiting this weakness, Context Information Security researchers were able to use low-privileged access rights to set up fake updates that installed automatically.

These updates could potentially download a Trojan or other malware and be used to set up admin access with a false user name and password. Any Windows computer that fetches updates from a WSUS server using a non-HTTPS URL is vulnerable.

Organisations can identify the vulnerability by checking the WSUS group policy settings, and individual machines can be scanned for the vulnerability through checking the URL, which is expected to be vulnerable if it does not have https in the URL.

Researchers from Context said that users must follow Microsoft‘s guidelines to use SSL for WSUS to protect their systems and suggested that there are further ‘defence in depth’ mitigations that can be implemented by Microsoft to offer further protection.

Black Hat joint presenter Alex Chapman said: "Using a separate signing certificate for Windows Update would increase protection and the update metadata itself could be signed by Microsoft to prevent tampering.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

"Signing the tags that contain the main detail of the updates with a Microsoft certificate would avoid the necessity of setting up a trust relationship between the client and WSUS server."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.