Sign in with
Sign up | Sign in

Hacker Claiming He Can Exploit Windows Update

By - Source: Pastebin | B 83 comments

A hacker who stole SSL certificates from a Dutch-based certificate authority claims that he can distribute malware through Microsoft's Windows Update.

There's a hacker out there somewhere claiming that he can issue fake updates to Windows-based desktops and laptops thanks to a set of stolen digital certificates. This means he has the potential to pump malware into Microsoft's Windows Update service and infect the entire Windows user base.

Calling himself "Comodohacker," the supposed 21-year-old Iran resident recently took credit for several attacks against certificate authorities (CA) – organizations and companies authorized to issue secure socket layer (SSL) certificates – including one against Comodo in March, and one just recently involving Dutch-based DigiNotar and 531 stolen certificates. It was this latest DigiNotar hack in which Comodohacker retrieved several certificates that could be used to impersonate Microsoft’s Update services.

"I'm able to issue Windows update[s]," Comodohacker claims in one of several posts over on Pastebin. "Microsoft's statement about Windows Update and that I can't issue such update is totally false!”

Sunday Microsoft said that there was absolutely no way the stolen digital certificates could be used to distribute malware via Windows Update.

"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC). "The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft."

Ness also added that in order for an attack to be successful, the hacker must have been issued a digital certificate for the server or domain to which the client is initiating a connection. The attacker must also be able to tamper with the conversation in progress while on the local network, must own or operate the network infrastructure between the victim client and the listening server, must control the DNS server used by the victim's ISP, or influence the victim's choice of DNS server via DHCP responses if a client gets DNS settings via DHCP.

But according to Comodohacker, he has already reversed the entire Windows update protocol.

"How it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply I can issue updates via windows update! You see? I'm so smart, sharp, dangerous, powerful, etc. huh?"

Tuesday Microsoft retaliated by blocking the now-revoked DigiNotar certificates in a Windows update – a hacker will need an entirely new certificate in order to imitate Windows Update. Meanwhile, Comodohacker says that more is to come.

"Wait for me, you have so much more SHOCKINGS to see from me! From a person who came to this world just 21 years ago! JUST WAIT!" he said.

Display 83 Comments.
This thread is closed for comments
Top Comments
  • 28 Hide
    cookoy , September 10, 2011 10:47 AM
    boy what a pompous self-conceited prick even his parents would steer clear of him coz he'll hack their bank accounts
  • 24 Hide
    husker , September 10, 2011 11:48 AM
    amk-aka-phantomCool story. That's why I have Windows Updates off - not needed. It's one more reason to like Win7 - it works out of the box. No updates needed. And if I'll ever, for some bizarre reason, need an update, I'll just download it manually.

    It seems to me like this hacker is saying these things to convince people that windows updates are a bad thing, and you are falling for it. He is employing an old tactic, in which the threat itself is empty, but the reaction he hopes to get from people is what counts. In this case those who believe the threat are made vulnerable to other more real attacks because they are not getting regular security updates.
  • 16 Hide
    joytech22 , September 10, 2011 10:08 AM
    I am curious to see who's right here.. Microsoft of the Hacker.
    Only time will tell I guess.
Other Comments
  • 16 Hide
    joytech22 , September 10, 2011 10:08 AM
    I am curious to see who's right here.. Microsoft of the Hacker.
    Only time will tell I guess.
  • 15 Hide
    nonoitall , September 10, 2011 10:40 AM
    Unless this fellow managed to acquire Microsoft's private update signing keys, I'd say he's just looking for attention. (Does Microsoft even distribute updates via SSL? It seems like it would be a massive waste of server CPU time when updates don't really contain sensitive information.)
  • 28 Hide
    cookoy , September 10, 2011 10:47 AM
    boy what a pompous self-conceited prick even his parents would steer clear of him coz he'll hack their bank accounts
  • 24 Hide
    husker , September 10, 2011 11:48 AM
    amk-aka-phantomCool story. That's why I have Windows Updates off - not needed. It's one more reason to like Win7 - it works out of the box. No updates needed. And if I'll ever, for some bizarre reason, need an update, I'll just download it manually.

    It seems to me like this hacker is saying these things to convince people that windows updates are a bad thing, and you are falling for it. He is employing an old tactic, in which the threat itself is empty, but the reaction he hopes to get from people is what counts. In this case those who believe the threat are made vulnerable to other more real attacks because they are not getting regular security updates.
  • 6 Hide
    warmon6 , September 10, 2011 12:13 PM
    just be aware Comodohacker.... dont tick off the wrong people as Lulzsec and anonymous did.

    http://www.tomsguide.com/us/The-Jester-LulzSec-antiSec-Anonymous-Hactivist,news-11998.html
  • 10 Hide
    alyoshka , September 10, 2011 12:23 PM
    cookoyboy what a pompous self-conceited prick even his parents would steer clear of him coz he'll hack their bank accounts


    Yup I absolutely agree, Hackers aren't so kiddish.
    Grow up man, become a hacker, don't publicize it, just do it like nike says.....

    I guess his 15 Seconds of fame are up eh...........
  • 7 Hide
    alyoshka , September 10, 2011 12:27 PM
    Or then, maybe, the actually walk on the wild side is scaring you.......eh Comodohacker........
    Need to rename or get a better ID, Commode Hacker suits you fine....
  • 6 Hide
    SoiledBottom , September 10, 2011 12:42 PM
    "freedom isnt worth this annoyance."

    AUTHOR: Thomas Jefferson (1743–1826)
    QUOTATION: The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants. It is it’s natural manure.
  • 4 Hide
    schmich , September 10, 2011 12:53 PM
    een54Why dont fag hackers like this use their "skills" for something useful?So gay that theyre always trying to stir shi*The technology world could be an awesome place if we all worked towards the greater good, which is obv conveyer belt paths EVERYWHERE!

    I agree with you but to answer your question: money. You can get a TON of money by selling exploits on the black/criminal market.
  • 0 Hide
    alyoshka , September 10, 2011 2:04 PM
    The black/criminal market already has in it's employment a horde of geeks who do it for them.....
  • -2 Hide
    someguynamedmatt , September 10, 2011 2:05 PM
    Just another blowhard trying to get the press to look at him.
  • -2 Hide
    christop , September 10, 2011 2:14 PM
    Why not use your skills to get a killer job and make money or is it you have like 5 0days and a bank full of cash and don't care. I will guess this guy didn't get enough attention from his parents as a kid.
  • 10 Hide
    drapacioli , September 10, 2011 2:30 PM
    amk-aka-phantomI don't care about security updates or whatever scary things hackers or antivirus companies tell us. I have logic and I know how computers work; you can't just "infiltrate" or "hack into" a machine like they scare you. Unless I download and run a harmful executable, there will be no harm done to my computer. Proven by 3 years of malware/antivirus-free experience. Best antivirus is common sense; if you don't have it, nothing will help (unless you wanna slow down your PC to a moronic extent, lol, like having UAC asking you about literally EVERY action or something).


    So then I guess you don't use the internet right? Because every time another program (Not limited to just web browsers) accesses the internet, it has some authority to run and download other files. Not all viruses are .exe files, and many types of malware can infiltrate your computer simply by visiting a webpage. Every time you "view" a web page, your web browser is downloading files to your hard drive. Whenever Windows, Adobe, your web browser, Java, or games download updates, there is a potential to be hacked. Programs are not written perfectly, people can use exploits to distribute viruses and obtain personal information without you knowing about it. Every time you install security updates you have to give administrative permission to do so, but not installing the updates makes it even easier to be hacked, so you can't ignore them Whenever a file not originating from the PC is written to the hard drive (even from CDs and flash drives, or memory cards), there is a potential for malware, spyware, or viruses. In fact, through exploits using flash drives and other physical media, it is possible to become infected without ever being connected to the internet at all. Because people are constantly finding loopholes through programs like web browsers, Flash, and product updates (Even "safe" products), common sense alone will not prevent viruses. In fact, common sense says install an anti-virus, something you aren't doing, correct? If you really need to squeeze every bit of performance out of your computer, either upgrade it or find a minimal antivirus program. There are plenty out there that do not hog resources, not ever antivirus acts like Norton.
  • -7 Hide
    amk-aka-Phantom , September 10, 2011 2:57 PM
    Quote:
    So then I guess you don't use the internet right? Because every time another program (Not limited to just web browsers) accesses the internet, it has some authority to run and download other files. Not all viruses are .exe files, and many types of malware can infiltrate your computer simply by visiting a webpage. Every time you "view" a web page, your web browser is downloading files to your hard drive. Whenever Windows, Adobe, your web browser, Java, or games download updates, there is a potential to be hacked. Programs are not written perfectly, people can use exploits to distribute viruses and obtain personal information without you knowing about it. Every time you install security updates you have to give administrative permission to do so, but not installing the updates makes it even easier to be hacked, so you can't ignore them Whenever a file not originating from the PC is written to the hard drive (even from CDs and flash drives, or memory cards), there is a potential for malware, spyware, or viruses. In fact, through exploits using flash drives and other physical media, it is possible to become infected without ever being connected to the internet at all. Because people are constantly finding loopholes through programs like web browsers, Flash, and product updates (Even "safe" products), common sense alone will not prevent viruses. In fact, common sense says install an anti-virus, something you aren't doing, correct? If you really need to squeeze every bit of performance out of your computer, either upgrade it or find a minimal antivirus program. There are plenty out there that do not hog resources, not ever antivirus acts like Norton.


    My programs don't connect to the Internet. (Clarification for slowpokes: they're prevented from connecting/updating by their settings and the firewall.) I don't need to squeeze every bit of performance out of my computer... at least the main one. Thing is, if I ever install an antivirus, it NEVER finds anything. That's enough for me to consider my method a success. And as I said, I never update anything unless I NEED it, in which case I download an update manually.

    USB drives: switch off Autorun; done. You have to know what kind of files you're copying; I don't know what kind of USB devices YOU are dealing with, but the worst thing I've ever seen on a USB was an autorun virus (a few different ones), and if Autorun is off, you can delete them manually. Again, if there's something evil on the USB device, it'll be an executable. Don't run executables that you don't trust.

    Viruses are a bogeyman to make people who don't know enough about their computers give the antivirus companies their money. I agree that there're loopholes, however, it's very easy to close them. I've heard too much BS about scary viruses that allegedly infect every Windows machine once it's connected to the net; I'm tired of hearing it all over.

    Every piece of software that doesn't improve the way I work with my computers is useless for me. Antiviruses are exactly that.
  • 4 Hide
    dread_cthulhu , September 10, 2011 2:58 PM
    SoiledBottom"freedom isnt worth this annoyance."AUTHOR: Thomas Jefferson (1743–1826)QUOTATION: The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants. It is it’s natural manure.


    YES! Thank you, Soiled! Mr. Jefferson, I salute you!
  • -2 Hide
    Anonymous , September 10, 2011 3:02 PM
    I know it can be done, examples of this are the games cracked servers,even without user intervention,i have disabled automatic updates and guess what,Tuesday update do install by himself.
  • 5 Hide
    Anonymous , September 10, 2011 3:17 PM
    amk-aka-phantomI don't care about security updates or whatever scary things hackers or antivirus companies tell us. I have logic and I know how computers work; you can't just "infiltrate" or "hack into" a machine like they scare you. Unless I download and run a harmful executable, there will be no harm done to my computer. Proven by 3 years of malware/antivirus-free experience. Best antivirus is common sense; if you don't have it, nothing will help (unless you wanna slow down your PC to a moronic extent, lol, like having UAC asking you about literally EVERY action or something).


    So for 3 years you have run without antivirus, What a big clever boy you are, and you are virus free and un-hackable you say! So if you have now anti-virus software, how do you know you are not infected, run through the millions of lines of code yourself?

    Its idiotic statements like this that create mis-conceptions as to what common sense is! For goodness sake man install a free antivirus suite now and scan your machine, then update it! THAT is common sense!
Display more comments