M$ Automatic Updates

[lewmur]

Remember the old saying, "There's never been a horse that can't be rode, and there's never been a man that can't be "throw'd?" Well, there has also never been a prgram that can't be hacked. And M$'s "automatic update" program has got to be the most attractive target ever. There must be thousands of hackers working like mad to find a way to penetrate it.And what happens when one of them finally succeeds? Total, unmitigated disaster!!! Even those of us smart enough not to have anything to do with it, will be "out of business." The whole Internet will crumble like a house of cards. Every computer using it could be infected with every known bit of malware ever made, almost instantaneously. The damage done by terrorist pales in comparison!!! I hope and pray I never have to say "I told you so!"

[Guitar Man]

With all due respect, what are you trying to say or propose here ? Have you seen or heard anything that leads you to believe that hackers are actively working on WU to propagate 'malware' ?What would you suggest as the best solution or preventative measures to take to avoid problems in this area ?

[Peachy]

That's doubtful. Microsoft's Windows Update Servers are run by a third-party, most likely as a part of a server farm. The IP address for the Windows Update servers would be round-robinned DNSed to multiple servers. If one were to be compromised, they'd just take it down.

[lewmur]

With all due respect, what are you trying to say or propose here ? Have you seen or heard anything that leads you to believe that hackers are actively working on WU to propagate 'malware' ?

Common sense says that if you are a malicious hacker, the best way to spread malware would be to "hack" M$'s automatic software installation system. Currently, you have to make a stupid mistake to get infected. That would no longer be the case if this happens.

What would you suggest as the best solution or preventative measures to take to avoid problems in this area ?

<{POST_SNAPBACK}>

You can avoid if on your own computer by not using it. But that would amount to hiding your head in the sand. With so many other using it, the "fallout" would bury you anyway. The only real solution is for M$ to *SHUT IT DOWN.*

[nlinecomputers]

Windows Updates are also signed with a key. To hack the server and replace code you'd also have to hack the signing key. All possible of course but very unlikely. And greatly uneeded anyway. Most end users are easy to fool and you can just hijack their own system put up a phising style message that asks them to update and presto you've got there computer. Many a virus and spyware payload is delivered this way. Crooks are lazy. Hacking MS would be very hard. Fooling Joe sixpack about computers is often very easy.

[lewmur]

That's doubtful. Microsoft's Windows Update Servers are run by a third-party, most likely as a part of a server farm. The IP address for the Windows Update servers would be round-robinned DNSed to multiple servers. If one were to be compromised, they'd just take it down.

<{POST_SNAPBACK}>

IMHO, "doubtful" doesn't cut it. As the saying goes, "Where there is a will, there's a way. And they don't need to hack the servers. Just the program that delivers the content. They could put the program on their own servers and spread their own "content" to millions of other servers that would then spread it further. Ad infinitum. Note that I'm *NOT* saying that this would be easy or even that the threat is eminent. I *AM* saying is that it is almost inevitable.

[Peachy]

That's called "phishing" as Nathan already pointed out. That would be the easiest to do. But, the hacker would have to duplicate the MS server application.

[nlinecomputers]

All irrelevent. All items on the Windows update site are SIGNED with Microsoft's key. You can't forge this stuff. And WU checks the keys before downloading them. If you delete Microsoft's keys in Internet Explorer you break WU. Hack the WU servers all you want you will not be able to push any virus/trojan code to users. ZERO. This is a non issue.

Edited March 6, 2005 by nlinecomputers

[lewmur]

All irrelevent.  All items on the Windows update site are SIGNED with Microsoft's key.  You can't forge this stuff.  And WU checks the keys before downloading them.  If you delete Microsoft's keys in Internet Explorer you break WU.  Hack the WU servers all you want you will not be able to push any virus/trojan code to users.  ZERO.  This is a non issue.

<{POST_SNAPBACK}>

Sure!!! And as we all know, M$'s keys have *NEVER* been hacked!!! BS!!

[lewmur]

If the govt asked for this kind of "big brother" control of everyone's computers, people would be screaming blue murder. Why is it OK for M$ to have this control?

[nlinecomputers]

Sure!!!  And as we all know, M$'s keys have *NEVER* been hacked!!!  BS!!

<{POST_SNAPBACK}>

BS! There has never been a case of ANYONE'S keys being hacked and producing a new signed object. NEVER. It is mathematically impossible. Note that is far different then cracking a single message that is encrypted. We are talking recreating someone's key and passphrase out of thin air so that you can now create new objects and sign them with the key. Only way someone could do what you suggest is by taking physical control of the secret key that's locked in Bill Gates'(sic) vault.

If the govt asked for this kind of "big brother" control of everyone's computers, people would be screaming blue murder. Why is it OK for M$ to have this control?

It isn't. You do know that you can turn this off don't you? I don't run it on many of my computers or on any of my client's servers. I prefer to personally patch. Not because I'm afraid that I get some hacked code but because some MS patches break things. They are legitimatly from MS but they might as well be a virus for all the good they do. Most end users are too stupid, lazy, ignorant, and or indifferent to bother. So IMO it is a good thing that most users have this set to on. (I didn't use to feel this way but 6 months of purging MSBlast off of Grandma's computers changed my POV on this.)Has MS ever been hacked, yes. Have they had there servers, DDoS attacked. Yes. Can someone do a man in the middle attack and produce fake code that is looks just like it came from MS. NO. It is mathematically impossible. Not improbable - IMPOSSIBLE. Learn Calculus and do the math.

[lewmur]

BS!  There has never been a case of ANYONE'S keys being hacked and producing a new signed object.  NEVER.  It is mathematically impossible.  Note that is far different then cracking a single message that is encrypted.  We are talking recreating someone's key and passphrase out of thin air so that you can now create new objects and sign them with the key.  Only way someone could do what you suggest is by taking physical control of the secret key that's locked in Bill Gates'(sic) vault.

I would advise anyone who believes this to "google" "unbreakable encryption" and see what the cryptogrophers say about it.

[nlinecomputers]

I would advise anyone who believes this to "google" "unbreakable encryption" and see what the cryptogrophers say about it.

Do the same yourself. You are not getting my point. There is a HUGH difference in breaking the code so that you can read the message and faking a signature. Plenty of older crypto algorithms have been broken, DES for one. Despite that no one has been able to recreate the KEY from such attempts. Only extracting the plain text from them.In other words you can read the mail but you can't fake who sent it.In order to do what you propose you'd have to be able to recreate AND use the key. And that has NOT happend yet.

[lewmur]

Do the same yourself.  You are not getting my point.  There is a HUGH difference in breaking the code so that you can read the message and faking a signature.  Plenty of older crypto algorithms have been broken, DES for one.  Despite that no one has been able to recreate the KEY from such attempts.  Only extracting the plain text from them.In other words you can read the mail but you can't fake who sent it.In order to do what you propose you'd have to be able to recreate AND use the key.  And that has NOT happend yet.

<{POST_SNAPBACK}>

The fact that it has *yet* to be done doesn't mean that it can't be done.

[Pete!]

I don't think it matters whether or not it can be done. Microsoft is private company and has the right to offer any legal products and services. If their product becomes too risky, their competitors will be happy to sell you something better.Unless they are breaking a law, it's none of the government's business. I suspect that a law forbidding automatic updates would be overturned the first time it encountered a challenge in court.

[nlinecomputers]

The fact that it has *yet* to be done doesn't mean that it can't be done.

<{POST_SNAPBACK}>

True. But considering you have to have a major breakthrough in mathematics to do this I'm not very worried about it. Somehow I'd think we'd hear about such a feat being demonstrated as a research paper as a proof of concept(Nobel Prize...) well before it was used in the field. It would ruin every digital signature in existence. It would make news.There are plenty of places you can sign up and donate your computer time to one of many grid projects devoted to cracking an algorithm. I don't know of any working on reverse building a key. Why? Cause nobody knows of any math you can apply to the subject to do that yet. Many argue that it cannot ever be done. As I said I am not worried about this.

[Marsden11]

MS does not use round robin DNS. They do use their native NLB (network load balancing) and clustering.WU consists of two parts. The server side and the client side. The clever hacker would have to compromise both components. Not likely. Both components are constantly changing so the hacker is very limited in his time frame to do damage.The only way for the hacker to hack the client side is to actually have physical control of the client. That is easy enough to do. The hacker would have to overwrite certain *.DLLs but that is not possible in XP as system files can't be overwritten by malicious unsigned code. so the hacker is not only going to be forced to gain access as well as forge the signed managed code. But that is still only 2/3 of the battle. Most companies (windows shops) are using WUS and that is going to be on a server locked up in a secure location. Again difficult for the hacker to access. Let's say the hacker gets lucky (and I mean really lucky as the company may have hundreds of servers scattered all over) and can con his way into the server closet and compromise the WUS server. He is still short the MS server side of the WU equation. He could jack the company but I'm sure intrusion detection software would recognise that action.Do you think for a moment that MS WU servers are unprotected sitting naked on the net? They sit behind multi firewalls locked down tighter than a gnat's ass stretched over a drum. I'm sure MS is going to be lax and leave servers unpatched and insecure... NOT!

If the govt asked for this kind of "big brother" control of everyone's computers, people would be screaming blue murder. Why is it OK for M$ to have this control?

They don't have control! It is an opt-in system. If the user wants to turn WU off he/she can and there is nothing MS can do about it. For total control there can be no options...You might want to adjust your tin foil head gear for better reception... Edited March 7, 2005 by Marsden11

[lewmur]

True.  But considering you have to have a major breakthrough in mathematics to do this I'm not very worried about it.  Somehow I'd think we'd hear about such a feat being demonstrated as a research paper as a proof of concept(Nobel Prize...) well before it was used in the field.  It would ruin every digital signature in existence.  It would make news.There are plenty of places you can sign up and donate your computer time to one of many grid projects devoted to cracking an algorithm.  I don't know of any working on reverse building a key.  Why?  Cause nobody knows of any math you can apply to the subject to do that yet.  Many argue that it cannot ever be done.  As I said I am not worried about this.

<{POST_SNAPBACK}>

You're entitled to your opinion. But, by your own analysis, the result would be disaster. It just seems to me that the risk far outweighs the benifit.

[nlinecomputers]

You're entitled to your opinion.  But, by your own analysis, the result would be disaster.  It just seems to me that the risk far outweighs the benefit.

<{POST_SNAPBACK}>

Please don't put words in my mouth. I never said such a thing. Risk outweighs benefits? You worry much about asteroid impacts? I think you got better odds for that. You work a lot on Linux do you not? How do you trust the patches issued by them hmm? Oh anybody can send you an PGP signed email telling to update after they replaced Linus with a cylon duplicate, hacked the Red Hat servers and compromised the RPMs.Think what you want to think but I suggest you go find calculus for dummies and a good book or two on encryption. You've got a flat earth mentality about how it works and that is just based on a lot of ignorance. Stop reading Google and take a college refresher course or two.My last post on this subject.

[Ed_P]

It just seems to me that the risk far outweighs the benifit.

You are absolutely right. Any connection to the 'net, even thru UNIX systems is a risk, protect your business while you can and stay off the 'net completely. If you need any comunication with a distant location only use Fed Ex. And disassemble all pcs, Windows based, Linux base and even DOS based, and shred their hard drives, they have been proven to be security risks to companies that use them. Erasing the hard drives is insufficient, the government has proven they can recover data erased repeatedly.Protect your company, it's employees, and yourself, get off the 'net now, while you still can.If you reply to this it proves you're concerns/fears are hypocritical.

[Guitar Man]

I've been following this thread, if only because I replied to it with another question. Lewmur has made a point (his concern), and Nathan, Marsden and Pete have answered it (their opinions)...IMHO, the point (or concern), however unfounded or fearful it may be, has been correctly debated by the other members that answered. Other opinions may yet follow. But hasn't this thread run it's course ? What are we arguing about ? Am I being too abrupt in saying let's move on gentlemen ???

[lewmur]

You are absolutely right.  Any connection to the 'net, even thru UNIX systems is a risk, protect your business while you can and stay off the 'net completely.  If you need any comunication with a distant location only use Fed Ex.  And disassemble all pcs, Windows based, Linux base and even DOS based, and shred their hard drives, they have been proven to be security risks to companies that use them.  Erasing the hard drives is insufficient, the government has proven they can recover data erased repeatedly.Protect your company, it's employees, and yourself, get off the 'net now, while you still can.If you reply to this it proves you're concerns/fears are hypocritical.

<{POST_SNAPBACK}>

Read my other post about "sacrificial' computers. And there is a big difference between my choosing to *TEST* any software installed on my computer and having a *company* *force* me to install changes and a hacker using that *forced* install scheme to spread malware.

[epp_b]

NEWS FLASH: "PERFECT" SOFTWARE IS NON-EXISTANT!!!

[Guitar Man]

RTFO !

[DeafBug]

I just saw this. I agree with Guitar Man. Point and concern taken.I am surprised no one said this so far. It can be hacked but I think the user will definitely know about it. I mean, how long does it take to break a 128-byte encryption. So add on to what MS has the key length for. (I don't know but I know it is longer than 128 bytes.) The hacker must intercept and break the key in seconds to take over so the end user doesn't notice the difference. (In my opinion, this is impossible.) The hacker can intercept the key and take hours or months to break it but they won't take over the end-user computer because the connection will be either lost or broken long time ago. And the key the hackers just figured out is no good.I think it is possible but not in reasonable amount time to take over any end users computer. If M$ realized that the hackers are catching up, they are going to take action on that. So that is back to what nlinecomputer said, IMPOSSIBLE. My opinion, worthless debate. I am not going to lose sleep over this. Even for my sister's computer who downloads bunch of crap and gets malware and all that.

[nlinecomputers]

Deafbug,You misunderstand slightly. There is a difference between encrypting a message and digitally signing a message.And there is a world of difference in between merely reading a message and being able to create new messages that can fool the decode process.Example.

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1This is a fake message.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1iD8DBQFCM7v2VOHXcf2rREgRAtJyAJ9a/CdSxCqRmXG3oY7MRqxNLWopXgCgp1c02mSqNsm8RsSNNrBY5wIYYEs==d9t5-----END PGP SIGNATURE-----

This message I created with PGP and then I altered one digit. The number 5 in the last line was a zero. If you run a check on this key it will fail. Because the data was altered. Without my key you'll never be able to create a new message that will pass the test. If you have my key the problem ISN'T the method of encryption but the physical security of my key. It is physically IMPOSSIBLE to recreate this key. It has NEVER been done and very likely never will. You might break an encrypted message and read the plain text. ONCE. But you'd never be able to use that knowledge to fake a new message. To take over the WU server and send out updates would require someone to do just that. They might hack the server and deface it but they'd never be able to send out a fake patch. Now they might be able to trick end users into removing the WU software and key and replacing it with a fake WU update and key from which they could send you patches via there servers but that would not be a compromise of the key. It would be a problem with the physical security on the end users end. Encryption is often only as good as the physical security of the keys.