Hacker Claiming He Can Exploit Windows Update

There's a hacker out there somewhere claiming that he can issue fake updates to Windows-based desktops and laptops thanks to a set of stolen digital certificates. This means he has the potential to pump malware into Microsoft's Windows Update service and infect the entire Windows user base.

Calling himself "Comodohacker," the supposed 21-year-old Iran resident recently took credit for several attacks against certificate authorities (CA) – organizations and companies authorized to issue secure socket layer (SSL) certificates – including one against Comodo in March, and one just recently involving Dutch-based DigiNotar and 531 stolen certificates. It was this latest DigiNotar hack in which Comodohacker retrieved several certificates that could be used to impersonate Microsoft’s Update services.

"I'm able to issue Windows update[s]," Comodohacker claims in one of several posts over on Pastebin. "Microsoft's statement about Windows Update and that I can't issue such update is totally false!”

Sunday Microsoft said that there was absolutely no way the stolen digital certificates could be used to distribute malware via Windows Update.

"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC). "The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft."

Ness also added that in order for an attack to be successful, the hacker must have been issued a digital certificate for the server or domain to which the client is initiating a connection. The attacker must also be able to tamper with the conversation in progress while on the local network, must own or operate the network infrastructure between the victim client and the listening server, must control the DNS server used by the victim's ISP, or influence the victim's choice of DNS server via DHCP responses if a client gets DNS settings via DHCP.

But according to Comodohacker, he has already reversed the entire Windows update protocol.

"How it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply I can issue updates via windows update! You see? I'm so smart, sharp, dangerous, powerful, etc. huh?"

Tuesday Microsoft retaliated by blocking the now-revoked DigiNotar certificates in a Windows update – a hacker will need an entirely new certificate in order to imitate Windows Update. Meanwhile, Comodohacker says that more is to come.

"Wait for me, you have so much more SHOCKINGS to see from me! From a person who came to this world just 21 years ago! JUST WAIT!" he said.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
83 comments
    Your comment
    Top Comments
  • cookoy
    boy what a pompous self-conceited prick even his parents would steer clear of him coz he'll hack their bank accounts
    28
  • husker
    amk-aka-phantomCool story. That's why I have Windows Updates off - not needed. It's one more reason to like Win7 - it works out of the box. No updates needed. And if I'll ever, for some bizarre reason, need an update, I'll just download it manually.

    It seems to me like this hacker is saying these things to convince people that windows updates are a bad thing, and you are falling for it. He is employing an old tactic, in which the threat itself is empty, but the reaction he hopes to get from people is what counts. In this case those who believe the threat are made vulnerable to other more real attacks because they are not getting regular security updates.
    24
  • joytech22
    I am curious to see who's right here.. Microsoft of the Hacker.
    Only time will tell I guess.
    16
  • Other Comments
  • joytech22
    I am curious to see who's right here.. Microsoft of the Hacker.
    Only time will tell I guess.
    16
  • nonoitall
    Unless this fellow managed to acquire Microsoft's private update signing keys, I'd say he's just looking for attention. (Does Microsoft even distribute updates via SSL? It seems like it would be a massive waste of server CPU time when updates don't really contain sensitive information.)
    15
  • cookoy
    boy what a pompous self-conceited prick even his parents would steer clear of him coz he'll hack their bank accounts
    28