back to article Slippery Windows Updates' SOAP bubbles up SYSTEM priveleges

Microsoft has bungled Windows Server Update Services (WSUS), according to hackers Paul Stone and Alex Chapman, with insecure defaults that let them hijack OS updates. Attackers that have previously gained admin privilege on a target system can elevate themselves to system-level access by skipping the normal signed update …

  1. Anonymous Coward
    Anonymous Coward

    "WSUS installations are safe if system administrators follow Microsoft hardening guidelines including using SSL"

    So follow good practice, and you're OK. And if you haven't applied SSL and they can't break in to your network then you're still OK?

    Might have a quick look at config later just to be sure

  2. Anonymous Coward

    Am I misreading this?

    "Attackers that have previously gained admin privilege on a target system"

    So attackers that already have admin access can compromise the device?

    I've got to be missing something here surely?

    1. Bronek Kozicki Silver badge

      Re: Am I misreading this?

      Well, the assumption is that on Windows, Administrator has lower rights than LocalSystem (latter would be root equivalent, while the former is not). Of course, since Administrator has enough rights to install any software including services running under LocalSystem, that is nothing else but an interesting way to make the hack a little less obvious (because who would suspect Windows Update ?)

      1. Twilight Turtle

        Re: Am I misreading this?

        Theoretically, it would also allow you to move laterally in some environments where the deployment of Windows updates is managed by a centralised server. Get local admin on that server via, say, a compromised service account (people seem to love giving their service accounts local admin) and you could effectively weaponise updates deployed to other hosts.

    2. Anonymous Coward
      Anonymous Coward

      Re: Am I misreading this?

      "So attackers that already have admin access can compromise the device?"

      Windows has fine grained ACLs and constrained delegation, so that accounts like "administrator" can have only the rights they actually need.

      You can also lock down the administrator account and restrict it's system access rights if you want to. So even with admin rights on Windows sometimes elevating privileges is required to be able to hack something.

  3. Anonymous Coward
    Anonymous Coward

    SOAP bubbles up SYSTEM priveleges

    priveleges? privileges

    Anon - I'm not emailing your corrections from a work system

  4. Anonymous Coward
    Anonymous Coward

    Oh dear

    And by default Microsoft want you to get W10 updates via "torrenting" from other untrusted computers, this will not end well.

    1. Hellcat

      Re: Oh dear

      Downloading content from another machine is quite different to a hack which relies on already having admin rights over the target.

      You can't roll that comment out on EVERY article that has the words Windows and Updates in it you know!

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh dear

        It's perfectly relevant as Microsoft have a habit of recycling crufty old code and they have just opened up multiple P2P connections to untrusted computer which are on by default.

        As for admin rights, all you need to do is couple it with a privilege escalation bug exploit and oops.

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh dear

      QED, more woes with that sack of shit called windows update:

  5. Peter 26

    More interesting than the WSUS and ARP spoofing is the awareness of the fact you could easily make a usb device with an arduino to spoof being a certain piece of hardware. That gives you the ability to install 533 different kernel drivers from 3rd parties. There has to be an exploit in one of them. No doubt one of our government agencies will probably have such a device already.

    Just one more attack hole to add to the theory that if you have physical access, it's game over.

    1. Ken Hagan Gold badge

      In the past, El Reg has carried stories of hardware vendors who were caught creating USB devices that initially identified themselves as keyboards and then injected commands to install their payload whether the user agreed or not. Since the USB standards for such basic devices are implemented by a Microsoft driver, I'm not sure you even need to find an exploit.

      See and links therein.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019