back to article Microsoft 'hardens' Windows Update from Flame penetration

Microsoft has "hardened" its Windows Update system after researchers discovered the Flame virus can infect PCs by offering itself as an update masquerading as official Microsoft software. The sophisticated worm has been hurtling through computers in the Middle East and beyond for up to two years before being unearthed by …

COMMENTS

This topic is closed for new posts.
  1. Peter 39

    but wait a minute ...

    I seem to recall that if there's an infected machine on your network, then you'll get your Windows updates from that, rather than directly from Microsoft.

    So, how does this plan from Redmond get the correct update to you ?? It seems that you'll be requiring some magic fingers-on-the-keyboard somehow.

    1. Gordon Fecyk

      WSUS clients wouldn't be affected automatically

      I seem to recall that if there's an infected machine on your network, then you'll get your Windows updates from that, rather than directly from Microsoft.

      The machines in my care don't contact WU directly, instead going through WSUS via a Group Policy setting. That GPO also says no one outside of IT can access WU directly.

      From there any WSUS updates get approved by hand. It would take a careless admin to let a piece of malware disguised as an update through their WSUS server. All of that is moot courtesy of the CRL update.

      A standalone user could apply WU updates directly on Vista and 7, distributed as MSU files, or on XP as self-installers. So an average user could fetch the new CRL by hand if they had to.

      1. Anonymous Coward
        IT Angle

        Sounds confusing ...

        WU, Group Policy, GPO, CRL update, MSU files, self-installers ..

  2. Colin Miller

    ..and the ability to perform a sophisticated MD5 hash collision.

    Doing hash collision against a cryptograhically secure one-way has /is. sophisticated (or at least brute-force), its just a pity that Microsoft still use MD5 sums when they are known to be insecure since 2004.

    1. Crazy Operations Guy
      Windows

      Not for long

      The MD5 stuff was just a hold over from the Verisign certs used to sign code in Win 2000 / 2003 / XP which had md5 hashes. Since then Microsoft has become a fully accredited CA and now issues sha-256 hashed certs for code signing.

  3. Justicesays
    Black Helicopters

    Trust Us!

    "Windows Update can only be spoofed with an unauthorised certificate combined with a man-in-the-middle attack."

    Or a top secret order of the president to MS Execs/blackmailed MS employee/spy in Microsoft modifying the windows update servers to send the worm to targeted PCs of course.

    Seems like the easiest way to get that worm on really.

  4. Anonymous Coward
    Trollface

    Another day...

    ...another gaping security chasm in Windoze.

    In other news... bears... shit... woods... pope... catholic... etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: Another day...

      Another appalling Linux troll who doesn't know what he's talking about.

      1. Anonymous Coward
        Anonymous Coward

        Re: Another day...

        How does one go about obtaining an authorised certificate for Windows Update?

    2. Anonymous Coward
      Anonymous Coward

      Re: Another day...

      You forgot to mention the aye-holes that make these asinine comments like yourself.

  5. Anonymous Coward
    Anonymous Coward

    Well it is quite simple, if I get "flamed" then I can sue Obama and co/take them to court for unauthorised access and modification to my computer, contrary to the computer misuse act 1990. It is a two way street, they can take Gary, we can take Obama.

    Surely MS can take the American Gov to court for infringing the T&C of MS Windows and masquerading as updates?

    1. Steve Mann

      But...

      You'll have to give your real name if you want to do that...

  6. Anonymous Coward
    Anonymous Coward

    And it looks like the US did a damn fine job at writing it if it took "security experts" so long to find this huge beast.

    Oh, and for all you Linux and Mac users....don't think someone hasn't looked at your stuff too, for all you know, your own systems could be infected right now due to the arrogant "my system is safe because it's doesn't use Windows" . It's already been VERY well proven of how vulnerable those system are to simple things that wouldn't touch Windoze.

    1. Anonymous Coward
      Anonymous Coward

      @Taylor 1 - Actually we do want people to look at Linux stuff

      Preventing people from looking at your code just to keep dreaming it is secure is what the real arrogance is.

    2. eulampios

      the true arrogance

      Not sure about Mac user, but most distros use the gpg (PGP) signature verification mechanism, the algorithm which has dropped md5 and sha1 some time ago now. There is also a centralized installed and updater aptitude(/yum/emerge/pkg/rpmi) and a few fixed repositories. No need to install from potentially insecure sources (contrary to the unfortunate Windoze users' lot)

      As far as the arrogant "my system is safe because it's doesn't use Windows" is concerned, Windows users I have helped migrate to Linux so far turn out to have been poorly educated and need some time to get rid of bad habits of the Windows mindset. I don't blame them for I know the actual educator.

      The motto "my system is safe because I don't use Windows" reads as follows: "my system will not betray me because it is not Windows".

      1. phuzz Silver badge
        Linux

        Re: the true arrogance

        Out of interest, who controls the gpg signing mechanisms for apt/yum etc?

        1. eulampios

          Re: the true arrogance

          A lot of different developers. A web of trust. I'd say they are usually more competent than the CA we get to learn nowadays.

          1. Anonymous Coward
            Anonymous Coward

            Re: the true arrogance

            A lot of developers, a web of trust?

            Have you ever actually met any developers, especially FOSS developers? They don't seem to trust anyone, they argue and bitch, it's not uncommon for software to be released when it's known full well it will break other software - Pound proxy was un-installable last time I tried, because one group of devs had removed critical functions from a library, Arduino was taken out for months when GCC devs made a change which broke it, then just argued with the Arduino guys.

            I wouldn't trust two rival teams of devs as far as I could throw them.

            1. eulampios

              Re: the true arrogance

              >>They don't seem to trust anyone, they argue and bitch

              "web of trust" is a technical term. See the Pretty Good Privacy or GNU Privacy Guard documentation for the trustdb concept.

              I wouldn't trust the competence of non-foss developers.

              Uninstallable? What do you mean? Perhaps, that uninstalling the software will remove some libs used by some other apps. Aptitude is pretty flexible and sophisticated enough, I am sure it would let you partially uninstall it. Think about the Windows world where most apps tend to bring many copies of identical or similar libraries. The apps bookkeeping is not kept properly, there no similar tool to checkinstall (or the Debian's dpkg-buildpackage )

              With your Adruino's complains, can't you get the source and build yourself with older version of gcc and use (fakeroot) checkinstall to install it? Would any of these be possible if any of this needed proprietary software?

      2. Anonymous Coward
        Anonymous Coward

        Re: the true arrogance

        What about non-FOSS/repo hosted software?

        You do realise that there is lots of non-free, non-foss and non-repo hosted software run on linux?

        If you want to believe that you're secure because you don't run Windows, go ahead, it's a dangerous mindset, but in you posts history one sees the mindset of an OS zelot who has that mindset.

        PS: Calling Windows names is childish.

        1. eulampios
          Linux

          Re: the true arrogance

          >>What about non-FOSS/repo hosted software?

          So what about it? I try not to use it and usually don't have to. Say, I use flashplayer to only sniff the url of a video and since flashplayer is known for its holes, I enforced my Firefox apparmor profile, plus use noscript and flashblock plug-ins. Does IE have a no-script, flashkiller plug-in? Does Windows have a similar to AppArmor security module... oops forgot, MS Windows still uses file extensions to learn the files attributes. Recently used someone's W7 I had hard time making IE save a file without an extension.

          >>mindset of an OS zelot who has that mindset.

          My browser spell-checker says that you probably mean "zealot". My "zealotry" is based on the practical side of it, almost like in that famous episode when R. Stallman tried and failed to fix the printer. This very experience dictates me to stay away from non-free software as much as possible.

          >>If you want to believe that you're secure because you don't run Windows

          I said "I am MORE secure because I don't run Windows", like "I feel much safer when not playing Russian roulette."

  7. Anonymous Coward
    Anonymous Coward

    If Flame was really written by US agencies

    no matter if Microsoft actively helped the effort or just turned a blind eye to that, there will be at least a dozen of governments who will be turned off from buying and deploying Microsoft software.

    1. Goat Jam

      Re: If Flame was really written by US agencies

      There is no security threat here and after I have given you this brown paper bag I'm sure you will agree that everything is AOK.

  8. Reg T.
    Facepalm

    MS certificates

    are rock solid. Red Hat and Fedora will be using the Microsoft secure boot keys for UEFI on Win 8 machines in the near future.

    Not to worry.

  9. Anonymous Coward
    Anonymous Coward

    MD5, WTF!

    Why are these cretins still using MD5?

    Low security stuff should have been migrated to SHA1 by now, and higher security stuff using at least SHA2!

This topic is closed for new posts.

Other stories you might like