Fake Windows updates possible – Comodohacker
In a message posted on PasteBin last week, the hacker who rose to fame after he claimed responsibility for the attacks on Certificate Authority DigiNotar claims he can exploit the Windows update service.
“I’m able to issue Windows update–Microsoft’s statement about Windows Update and that I can’t issue such update is totally false,” Comodohacker wrote in the PasteBin file. This was in reply to an earlier statement by Microsoft engineer John Hess who wrote, “Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers. Also, Windows Update itself is not at risk, even to an attacker with a fraudulent certificate.”
Comodohacker continued his PasteBin tirade saying, “I already reversed ENTIRE Windows update protocol, how it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and … Simply I can issue updates via Windows update! You see? I’m so smart, sharp, dangerous, powerful, etc. huh?”
If the hacker’s claims are true, he would be able to deliver malware to any system running the Windows update service.
Read the full story over at: Cnet.
Loading ...