Skip to main content

Hacker Claiming He Can Exploit Windows Update

There's a hacker out there somewhere claiming that he can issue fake updates to Windows-based desktops and laptops thanks to a set of stolen digital certificates. This means he has the potential to pump malware into Microsoft's Windows Update service and infect the entire Windows user base.

Calling himself "Comodohacker," the supposed 21-year-old Iran resident recently took credit for several attacks against certificate authorities (CA) – organizations and companies authorized to issue secure socket layer (SSL) certificates – including one against Comodo in March, and one just recently involving Dutch-based DigiNotar and 531 stolen certificates. It was this latest DigiNotar hack in which Comodohacker retrieved several certificates that could be used to impersonate Microsoft’s Update services.

"I'm able to issue Windows update[s]," Comodohacker claims in one of several posts over on Pastebin. "Microsoft's statement about Windows Update and that I can't issue such update is totally false!”

Sunday Microsoft said that there was absolutely no way the stolen digital certificates could be used to distribute malware via Windows Update.

"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC). "The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft."

Ness also added that in order for an attack to be successful, the hacker must have been issued a digital certificate for the server or domain to which the client is initiating a connection. The attacker must also be able to tamper with the conversation in progress while on the local network, must own or operate the network infrastructure between the victim client and the listening server, must control the DNS server used by the victim's ISP, or influence the victim's choice of DNS server via DHCP responses if a client gets DNS settings via DHCP.

But according to Comodohacker, he has already reversed the entire Windows update protocol.

"How it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply I can issue updates via windows update! You see? I'm so smart, sharp, dangerous, powerful, etc. huh?"

Tuesday Microsoft retaliated by blocking the now-revoked DigiNotar certificates in a Windows update – a hacker will need an entirely new certificate in order to imitate Windows Update. Meanwhile, Comodohacker says that more is to come.

"Wait for me, you have so much more SHOCKINGS to see from me! From a person who came to this world just 21 years ago! JUST WAIT!" he said.

  • joytech22
    I am curious to see who's right here.. Microsoft of the Hacker.
    Only time will tell I guess.
    Reply
  • nonoitall
    Unless this fellow managed to acquire Microsoft's private update signing keys, I'd say he's just looking for attention. (Does Microsoft even distribute updates via SSL? It seems like it would be a massive waste of server CPU time when updates don't really contain sensitive information.)
    Reply
  • cookoy
    boy what a pompous self-conceited prick even his parents would steer clear of him coz he'll hack their bank accounts
    Reply
  • dioxholster
    trying so hard to work for FBI. why are they all such attention whores, you have skills, you took the time and effort to acquire them, why end up acting like a child? Whats the purpose of it? someones got stop this insanity, its the wild west here. gov should interfere, freedom isnt worth this annoyance.
    Reply
  • amk-aka-Phantom
    Cool story. That's why I have Windows Updates off - not needed. It's one more reason to like Win7 - it works out of the box. No updates needed. And if I'll ever, for some bizarre reason, need an update, I'll just download it manually.
    Reply
  • husker
    amk-aka-phantomCool story. That's why I have Windows Updates off - not needed. It's one more reason to like Win7 - it works out of the box. No updates needed. And if I'll ever, for some bizarre reason, need an update, I'll just download it manually.It seems to me like this hacker is saying these things to convince people that windows updates are a bad thing, and you are falling for it. He is employing an old tactic, in which the threat itself is empty, but the reaction he hopes to get from people is what counts. In this case those who believe the threat are made vulnerable to other more real attacks because they are not getting regular security updates.
    Reply
  • warmon6
    just be aware Comodohacker.... dont tick off the wrong people as Lulzsec and anonymous did.

    http://www.tomsguide.com/us/The-Jester-LulzSec-antiSec-Anonymous-Hactivist,news-11998.html
    Reply
  • alyoshka
    cookoyboy what a pompous self-conceited prick even his parents would steer clear of him coz he'll hack their bank accounts
    Yup I absolutely agree, Hackers aren't so kiddish.
    Grow up man, become a hacker, don't publicize it, just do it like nike says.....

    I guess his 15 Seconds of fame are up eh...........
    Reply
  • alyoshka
    Or then, maybe, the actually walk on the wild side is scaring you.......eh Comodohacker........
    Need to rename or get a better ID, Commode Hacker suits you fine....
    Reply
  • amk-aka-Phantom
    9308861 said:
    It seems to me like this hacker is saying these things to convince people that windows updates are a bad thing, and you are falling for it. He is employing an old tactic, in which the threat itself is empty, but the reaction he hopes to get from people is what counts. In this case those who believe the threat are made vulnerable to other more real attacks because they are not getting regular security updates.

    I don't care about security updates or whatever scary things hackers or antivirus companies tell us. I have logic and I know how computers work; you can't just "infiltrate" or "hack into" a machine like they scare you. Unless I download and run a harmful executable, there will be no harm done to my computer. Proven by 3 years of malware/antivirus-free experience. Best antivirus is common sense; if you don't have it, nothing will help (unless you wanna slow down your PC to a moronic extent, lol, like having UAC asking you about literally EVERY action or something).
    Reply