Hacker Claiming He Can Exploit Windows Update
A hacker who stole SSL certificates from a Dutch-based certificate authority claims that he can distribute malware through Microsoft's Windows Update.
There's a hacker out there somewhere claiming that he can issue fake updates to Windows-based desktops and laptops thanks to a set of stolen digital certificates. This means he has the potential to pump malware into Microsoft's Windows Update service and infect the entire Windows user base.
Calling himself "Comodohacker," the supposed 21-year-old Iran resident recently took credit for several attacks against certificate authorities (CA) – organizations and companies authorized to issue secure socket layer (SSL) certificates – including one against Comodo in March, and one just recently involving Dutch-based DigiNotar and 531 stolen certificates. It was this latest DigiNotar hack in which Comodohacker retrieved several certificates that could be used to impersonate Microsoft’s Update services.
"I'm able to issue Windows update[s]," Comodohacker claims in one of several posts over on Pastebin. "Microsoft's statement about Windows Update and that I can't issue such update is totally false!”
Sunday Microsoft said that there was absolutely no way the stolen digital certificates could be used to distribute malware via Windows Update.
"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC). "The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft."
Ness also added that in order for an attack to be successful, the hacker must have been issued a digital certificate for the server or domain to which the client is initiating a connection. The attacker must also be able to tamper with the conversation in progress while on the local network, must own or operate the network infrastructure between the victim client and the listening server, must control the DNS server used by the victim's ISP, or influence the victim's choice of DNS server via DHCP responses if a client gets DNS settings via DHCP.
But according to Comodohacker, he has already reversed the entire Windows update protocol.
"How it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply I can issue updates via windows update! You see? I'm so smart, sharp, dangerous, powerful, etc. huh?"
Tuesday Microsoft retaliated by blocking the now-revoked DigiNotar certificates in a Windows update – a hacker will need an entirely new certificate in order to imitate Windows Update. Meanwhile, Comodohacker says that more is to come.
"Wait for me, you have so much more SHOCKINGS to see from me! From a person who came to this world just 21 years ago! JUST WAIT!" he said.
- Blizzard: Six "Proven Property" Titles by 2014
- Deals for September 9: 15.6" Dell Inspiron Core i5 $499
- IBM Has Plans for a 100 PFlop Supercomputer
- HP Unveils Consumer-Priced 3D Scanner
- Opinion: What Does AMD's New CEO Need to Fix?
- Sandy Bridge-E Coming November to a Store Near You
- How to Hack Together a TV Celebrity Silencer
- HP Pavilion DM1 Now Just $399, Sports AMD E-series
- AMD Shipping Desktop A4-3300, A4-3400 APUs
- Opinion: What Microsoft Must Accomplish in IE10
- Windows 8 to Support Native ISO and VHD Mounting
- Deals Sept 12: Deus Ex Human Revolution (Console) $35
- The First Glimpse of the Windows 8 Start Menu
- Opinion: Can You Blame the PC Crash on the iPad?
- Apple Files Patent to Make a Zero-Power PSU
- SanDisk Pushing For Low Power Consumption SSDs
- Deals Sept 13: Preorder Battlefield 3 LE (360, PS3, PC) $48
- Researchers Suggest New Way to Measure Wi-Fi Attacks
I am curious to see who's right here.. Microsoft of the Hacker.
Only time will tell I guess.
Unless this fellow managed to acquire Microsoft's private update signing keys, I'd say he's just looking for attention. (Does Microsoft even distribute updates via SSL? It seems like it would be a massive waste of server CPU time when updates don't really contain sensitive information.)
boy what a pompous self-conceited prick even his parents would steer clear of him coz he'll hack their bank accounts
trying so hard to work for FBI. why are they all such attention whores, you have skills, you took the time and effort to acquire them, why end up acting like a child? Whats the purpose of it? someones got stop this insanity, its the wild west here. gov should interfere, freedom isnt worth this annoyance.
Cool story. That's why I have Windows Updates off - not needed. It's one more reason to like Win7 - it works out of the box. No updates needed. And if I'll ever, for some bizarre reason, need an update, I'll just download it manually.
Cool story. That's why I have Windows Updates off - not needed. It's one more reason to like Win7 - it works out of the box. No updates needed. And if I'll ever, for some bizarre reason, need an update, I'll just download it manually.
It seems to me like this hacker is saying these things to convince people that windows updates are a bad thing, and you are falling for it. He is employing an old tactic, in which the threat itself is empty, but the reaction he hopes to get from people is what counts. In this case those who believe the threat are made vulnerable to other more real attacks because they are not getting regular security updates.
just be aware Comodohacker.... dont tick off the wrong people as Lulzsec and anonymous did.
http://www.tomsguide.com/us/The-Je [...] 11998.html
boy what a pompous self-conceited prick even his parents would steer clear of him coz he'll hack their bank accounts
Yup I absolutely agree, Hackers aren't so kiddish.
Grow up man, become a hacker, don't publicize it, just do it like nike says.....
I guess his 15 Seconds of fame are up eh...........
Or then, maybe, the actually walk on the wild side is scaring you.......eh Comodohacker........
Need to rename or get a better ID, Commode Hacker suits you fine....
It seems to me like this hacker is saying these things to convince people that windows updates are a bad thing, and you are falling for it. He is employing an old tactic, in which the threat itself is empty, but the reaction he hopes to get from people is what counts. In this case those who believe the threat are made vulnerable to other more real attacks because they are not getting regular security updates.
I don't care about security updates or whatever scary things hackers or antivirus companies tell us. I have logic and I know how computers work; you can't just "infiltrate" or "hack into" a machine like they scare you. Unless I download and run a harmful executable, there will be no harm done to my computer. Proven by 3 years of malware/antivirus-free experience. Best antivirus is common sense; if you don't have it, nothing will help (unless you wanna slow down your PC to a moronic extent, lol, like having UAC asking you about literally EVERY action or something).
"freedom isnt worth this annoyance."
AUTHOR: Thomas Jefferson (1743–1826)
QUOTATION: The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants. It is it’s natural manure.
Why dont fag hackers like this use their "skills" for something useful?So gay that theyre always trying to stir shi*The technology world could be an awesome place if we all worked towards the greater good, which is obv conveyer belt paths EVERYWHERE!
I agree with you but to answer your question: money. You can get a TON of money by selling exploits on the black/criminal market.
The black/criminal market already has in it's employment a horde of geeks who do it for them.....
Just another blowhard trying to get the press to look at him.
Why not use your skills to get a killer job and make money or is it you have like 5 0days and a bank full of cash and don't care. I will guess this guy didn't get enough attention from his parents as a kid.
I don't care about security updates or whatever scary things hackers or antivirus companies tell us. I have logic and I know how computers work; you can't just "infiltrate" or "hack into" a machine like they scare you. Unless I download and run a harmful executable, there will be no harm done to my computer. Proven by 3 years of malware/antivirus-free experience. Best antivirus is common sense; if you don't have it, nothing will help (unless you wanna slow down your PC to a moronic extent, lol, like having UAC asking you about literally EVERY action or something).
So then I guess you don't use the internet right? Because every time another program (Not limited to just web browsers) accesses the internet, it has some authority to run and download other files. Not all viruses are .exe files, and many types of malware can infiltrate your computer simply by visiting a webpage. Every time you "view" a web page, your web browser is downloading files to your hard drive. Whenever Windows, Adobe, your web browser, Java, or games download updates, there is a potential to be hacked. Programs are not written perfectly, people can use exploits to distribute viruses and obtain personal information without you knowing about it. Every time you install security updates you have to give administrative permission to do so, but not installing the updates makes it even easier to be hacked, so you can't ignore them Whenever a file not originating from the PC is written to the hard drive (even from CDs and flash drives, or memory cards), there is a potential for malware, spyware, or viruses. In fact, through exploits using flash drives and other physical media, it is possible to become infected without ever being connected to the internet at all. Because people are constantly finding loopholes through programs like web browsers, Flash, and product updates (Even "safe" products), common sense alone will not prevent viruses. In fact, common sense says install an anti-virus, something you aren't doing, correct? If you really need to squeeze every bit of performance out of your computer, either upgrade it or find a minimal antivirus program. There are plenty out there that do not hog resources, not ever antivirus acts like Norton.
So then I guess you don't use the internet right? Because every time another program (Not limited to just web browsers) accesses the internet, it has some authority to run and download other files. Not all viruses are .exe files, and many types of malware can infiltrate your computer simply by visiting a webpage. Every time you "view" a web page, your web browser is downloading files to your hard drive. Whenever Windows, Adobe, your web browser, Java, or games download updates, there is a potential to be hacked. Programs are not written perfectly, people can use exploits to distribute viruses and obtain personal information without you knowing about it. Every time you install security updates you have to give administrative permission to do so, but not installing the updates makes it even easier to be hacked, so you can't ignore them Whenever a file not originating from the PC is written to the hard drive (even from CDs and flash drives, or memory cards), there is a potential for malware, spyware, or viruses. In fact, through exploits using flash drives and other physical media, it is possible to become infected without ever being connected to the internet at all. Because people are constantly finding loopholes through programs like web browsers, Flash, and product updates (Even "safe" products), common sense alone will not prevent viruses. In fact, common sense says install an anti-virus, something you aren't doing, correct? If you really need to squeeze every bit of performance out of your computer, either upgrade it or find a minimal antivirus program. There are plenty out there that do not hog resources, not ever antivirus acts like Norton.
My programs don't connect to the Internet. (Clarification for slowpokes: they're prevented from connecting/updating by their settings and the firewall.) I don't need to squeeze every bit of performance out of my computer... at least the main one. Thing is, if I ever install an antivirus, it NEVER finds anything. That's enough for me to consider my method a success. And as I said, I never update anything unless I NEED it, in which case I download an update manually.
USB drives: switch off Autorun; done. You have to know what kind of files you're copying; I don't know what kind of USB devices YOU are dealing with, but the worst thing I've ever seen on a USB was an autorun virus (a few different ones), and if Autorun is off, you can delete them manually. Again, if there's something evil on the USB device, it'll be an executable. Don't run executables that you don't trust.
Viruses are a bogeyman to make people who don't know enough about their computers give the antivirus companies their money. I agree that there're loopholes, however, it's very easy to close them. I've heard too much BS about scary viruses that allegedly infect every Windows machine once it's connected to the net; I'm tired of hearing it all over.
Every piece of software that doesn't improve the way I work with my computers is useless for me. Antiviruses are exactly that.
"freedom isnt worth this annoyance."AUTHOR: Thomas Jefferson (1743–1826)QUOTATION: The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants. It is it’s natural manure.
YES! Thank you, Soiled! Mr. Jefferson, I salute you!
I know it can be done, examples of this are the games cracked servers,even without user intervention,i have disabled automatic updates and guess what,Tuesday update do install by himself.
I don't care about security updates or whatever scary things hackers or antivirus companies tell us. I have logic and I know how computers work; you can't just "infiltrate" or "hack into" a machine like they scare you. Unless I download and run a harmful executable, there will be no harm done to my computer. Proven by 3 years of malware/antivirus-free experience. Best antivirus is common sense; if you don't have it, nothing will help (unless you wanna slow down your PC to a moronic extent, lol, like having UAC asking you about literally EVERY action or something).
So for 3 years you have run without antivirus, What a big clever boy you are, and you are virus free and un-hackable you say! So if you have now anti-virus software, how do you know you are not infected, run through the millions of lines of code yourself?
Its idiotic statements like this that create mis-conceptions as to what common sense is! For goodness sake man install a free antivirus suite now and scan your machine, then update it! THAT is common sense!
@amk-aka-phantom: Windows Updates not needed? You're running the single most vulnerable operating system on the market, and you dont think that updating it is needed? Sorry friend, but unless your computer never touches an internet connection, you're asking to be Metasploited by some script kiddie.
Just had a critical patch from MS on certificate updates.
amphantom: While it may be fun to rag on Ubuntu's occasional update-of-death, Windows and OSX both have worse track records of screwing up PCs with updates. Even on the very mature XP has had several updates to completely take down PCs en masse, even in the brief time since SP3 was released.
To the not-understanding-networking-at-all-but-considering-self-hacker-savvy crowd: Assuming you have your PC behind a somewhat respectable router and not plugged into a modem directly, it's almost impossible to get directly hacked without initiating the communication. Unfortunately, Windows is still the most vulnerable OS on the planet. It is STILL possible to get a virus installed on your PC just by clicking on a link, without even being prompted by UAC(that legendary faux Window Explorer to faux antivirus virus is a good example).
Linux hacks are still mostly limited to screwing up your ill-programmed web application being served on your ill-configured Apache server, anything else requires you to somehow actually steal somebody's actual credentials and log in as them(locally, and possibly remotely if SSH is installed), via phishing, etc...
Some malware is coded such as when you scan, it will not detect it, once it's infected no AV will do anything to save you, only way would be scanning with an external machine with a different OS, so you might indeed have a bunch of malware in your system right now
Well, in this case antivirus wouldn't help anyway, right?
@all of you who accuse me of needing attention: Lol, cool story... except that you forgot that we're in News Comments section and it's for opinions. My opinion gives you butthurt? Goal achieved, then, but don't be such pathetic whiners
Suppose he does (more likely, though, that I'll win a US-only lottery draw, lol) - I'll have a fresh fully functional install within two or three hours... if he manages to cause any harm.
Um, some viruses infect the motherboard BIOS, graphics card BIOS and even peripherals like mice and keyboards. Can you imagine having to reformat several times not knowing where they come from each time you boot your computer? You physically yank the Ethernet cable and you're STILL infected.
I've been using Arch Linux as my main OS for almost two years now. Not ONCE did it die after an system-wide update. And this is a rolling release distribution, mind you. Meaning everything is fresh from the bakery! In case something does go wrong I can always chroot from a Live USB stick. I know how, I've done it before. Had to reinstall Windows XP once and that biatch replaced the GRUB2 master boot record. Honestly, it wasn't that difficult to fix it. Someone else might have pooped their pants (probably myself included when I was younger and still used Winamp and Y!M).
Anyway. Antiviruses. Last year or so, the hosts of the "Security Now" podcast talked about McAfee issuing an update which saw "svchost.exe" as a virus, quarantined it, and left some 40.000 business with unbootable PCs. Cool, huh? This was the top-tier "business" class antivirus suite too. The expensive one. http://www.zdnet.com/blog/bott/def [...] p-pcs/2003
PS: I would've done it first (and probably change the wallpaper to Rick Astley + the appropriate boot/shutdown sounds to a few million users or so) instead of bragging about it and giving M$ a chance to fix it.
Um, some viruses infect the motherboard BIOS, graphics card BIOS and even peripherals like mice and keyboards. Can you imagine having to reformat several times not knowing where they come from each time you boot your computer? You physically yank the Ethernet cable and you're STILL infected.
I've been using Arch Linux as my main OS for almost two years now. Not ONCE did it die after an system-wide update. And this is a rolling release distribution, mind you. Meaning everything is fresh from the bakery! In case something does go wrong I can always chroot from a Live USB stick. I know how, I've done it before. Had to reinstall Windows XP once and that biatch replaced the GRUB2 master boot record. Honestly, it wasn't that difficult to fix it. Someone else might have pooped their pants (probably myself included when I was younger and still used Winamp and Y!M).
Anyway. Antiviruses. Last year or so, the hosts of the "Security Now" podcast talked about McAfee issuing an update which saw "svchost.exe" as a virus, quarantined it, and left some 40.000 business with unbootable PCs. Cool, huh? This was the top-tier "business" class antivirus suite too. The expensive one. http://www.zdnet.com/blog/bott/def [...] p-pcs/2003
That is SUCH BS. You can't infect mice or keyboards!
EDIT: You're surprised that WinXP wiped GRUB? I've fixed that particular problem many, many times... it's more annoying when NT loader breaks and trolls you with "HAL.DLL is missing" error - at least GRUB is easy to reinstall...
Lay off the topic of updates, I was joking
See? You yourself confirmed that antiviruses can be damn stupid. Actually, I had one that kept deleting my Notepad.exe. So I brought Notepad.exe from another machine - wiped again! Okay, so I got curious, quickly installed XP in a VM and pulled Notepad.exe out of there... deleted once it got onto the machine. It wasn't infected, of course, just the antivirus was screwing around again.
That is SUCH BS. You can't infect mice or keyboards! And BIOS/VBIOS/boot sector viruses are non-existent nowadays. THAT is what I mean by scary virus tales...
You'd be surprised how much information those chips can hold. All it needs is a few lines of code that can (virtually) tap the backspace key once in a while to annoy the shіt out of you or maybe something even more evil, like looking for recurring phrases (which are usually usernames and passwords). Since most passwords are shown as " ****** ", all it has to do it replace one of them (in the final 6 characters so it doesn't show up in the username, because you'll obviously notice it then).
Oh, and BIOS manufacturers intentionally leave more free space in case they need to issue an update. So it can hold even more complex code.
You'd be surprised how much information those chips can hold. All it needs is a few lines of code that can tap the backspace key once in a while to annoy the *** out of you or maybe something even more evil, like looking for recurring phrases (which are usually usernames and passwords). Since most passwords are shown as " ****** ", all it has to do it replace one of them (in the final 6 characters so it doesn't show up in the username, because you'll obviously notice it then).
You'll never log into anything again, I PROMISE YOU. It will take a good amount of time to figure it out, and you'll have to replace the keyboard.
Oh, and BIOS manufacturers intentionally leave more free space in case they need to issue an update. So it can hold even more complex code.
Dude, that's bat$h!t insane. Stop.
Be afraid... Be very afraid!
I hope he tries something. I'd like to see his "smart, sharp, dangerous, powerful, etc. huh?" ass wiggle out of Deathlord Ballmer's deathgrip.