Windows Update vulnerability puts corporate networks at risk from malicious insiders, warn researchers

Windows Update 'may be hiding some serious threats' claim Context security researchers

A Windows Update vulnerability can be abused by insiders to perpetrate internal attacks on corporate networks by exploiting insecurely configured enterprise implementations of Windows Server Update Services (WSUS).

The warning comes shortly after Microsoft released Windows 10, an operating system the Redmond firm claims to be its most secure ever.

However, speaking at the Black Hat USA security conference, researchers from Context Information Security demonstrated how they were able to exploit the WSUS weakness to set up fake updates that installed automatically.

These fake updates could potentially be used to install a data-stealing Trojan or other malware or deployed to set up admin access using a false username and password. Any Windows computer that fetches updates from a WSUS server using a non-https URL is vulnerable, the researchers warned.

"It's a simple case of a common configuration problem," said Paul Stone, principal consultant at Context.

"While Microsoft does not enforce SSL for WSUS, it presents the option and most companies will go through this extra stage to use https. But for those that don't it presents an opportunity for an administrator to compromise complete corporate networks in one go."

An organisation can quickly determine if it is vulnerable to the exploit by checking the SWUS group policy settings. If the URL of a machine doesn't begin with https, then it is vulnerable to an injection-style attack.

Following Microsoft guidelines for SSL will protect against this sort of attack, but Context also suggested employing additional methods for further protection.

"Using a separate signing certificate for Windows Update would increase protection and the update metadata itself could be signed by Microsoft to prevent tampering," said Alex Chapman, principal consultant at Context.

"Signing the tags that contain the main detail of the updates with a Microsoft certificate would avoid the necessity of setting up a trust relationship between the client and WSUS server," he added.

The Context security researchers also raised concerns about third-party drivers installed via Windows update. A total of 25,000 potential USB drivers can be downloaded, but the list includes many duplicates and obsolete versions.

"We have started to download and investigate some 2,284 third-party drivers," said Stone.

"Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes," he continued.

"Everyone is familiar with the 'searching for Drivers' and ‘Windows Update' dialogue boxes on their desktops - but these seemingly innocuous windows may be hiding some serious threats," Stone concluded.

Earlier this year, researchers warned of a Windows vulnerability named "Redirect to SMB" that could potentially affect millions of computers and allow hackers to control their victim's servers.