Microsoft readies post-Flame Windows Update changes
- 13 June, 2012 18:30
Microsoft will start feeding users an update to the critical Windows Update service in the next few days, several security experts said today.
Windows Update (WU) provides security patches and other fixes to Windows PCs. The service is accessed directly by consumers, and through the Windows Server Update Services (WSUS) component by enterprises.
The update was triggered by the discovery that Flame, a sophisticated, nation state-grade cyber espionage tool, had subverted WU to infect additional PCs within an already-penetrated network. The team behind Flame, which shared code with the makers of the even-better-known Stuxnet worm that sabotaged Iran's nuclear program, pulled off that first-of-its-kind hack by stealing digital certificates from Microsoft.
A week ago, Microsoft announced it would issue an update to WU to prevent copy-cats from duplicating Flame's feat. At the time, it said it would begin serving that update before the end of the week.
Microsoft did, in fact, push the update to some users last week, although it limited the scope of that audience, said researchers.
"It's done and tested, and as we understand it, has been offered to some users," said Wolfgang Kandek, chief technology officer at Qualys, in an interview.
Jason Miller, manager of research and development at VMware, said that he had heard from users who had received the new Windows Update client, and like Kandek, said Microsoft would unthrottle the update -- in other words, begin pushing it to all, or at least more, users -- "in a few days."
Microsoft also heeded calls to wait until after yesterday's Patch Tuesday to refresh WU by pausing the update, limited though it was, until users' PCs began downloading fixes for the 26 flaws the company delivered this month.
Several researchers, including Kandek and Andrew Storms, director of security operations at nCircle Security, said they had emailed contacts at Microsoft urging the company to wait.
"They released the WSUS update Friday, and started the WU update, but not everyone got it," said Kandek. "Then they put a pause on WU."
Last week, Storms had hoped Microsoft would do the smart thing, and delay the WU update until after Patch Tuesday, noting that to do different might delay some businesses deployment of the fixes.
"They'll want to test the Windows Update update," said Storms last Thursday. "Because if that breaks, everything breaks with it."
The WU update will force the service to acknowledge only certificates issued from a new certificate authority (CA) the company will create, and no longer accept other Microsoft-signed digital signatures, as it has since its inception.
Flame's makers exploited a flaw in Microsoft's Terminal Services licensing CA to generate the fake Microsoft digital signatures. They launched a super-advanced cryptographic "collision attack," where two different values produce the same cryptographic "hash, to gain the bogus certificates.
Some researchers have argued that the collision attack shows that the Flame team included world-class cryptographers, and would have required considerable computing horsepower to pull off.
"The new WU will be more critical about the certificates that it uses to sign downloads, and be more picky about how it communicates with Microsoft," said Kandek. "It will make the download process more robust."
By the time next month's Patch Tuesday rolls around on July 10, all users will have had multiple opportunities to grab the WU update, Kandek added. Microsoft will probably make the switch to the new certificates at that time.
Because updates to WU don't rely on users having set the service to automatically receive and install all fixes, everyone who runs WU will receive the update. Windows Update updates are installed whenever the service is engaged, whether automatically, manually or the in-between mode that only notifies users of impending updates.
Only PC owners who have disabled the service and never use it -- experts suspect that users running counterfeit copies of Windows avoid it because they fear being found out by Microsoft's sniffing for legitimate licenses when it deploys a new WU client -- will not be migrated to the new, more restrictive certificate model.
Computerworld has been monitoring numerous Windows PCs for evidence of the WU update, but like Storms and Kandek who reported that their companies' machines have not seen changes, has not yet observed any modifications to the client.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
Brace for change: An interview with Tony Hayes of ISACA
Rethinking the worst case
The brand called CIO
Motorola turns to the Moto G's price to reserve its smartphone fortunes
Virtual desktop computing service: The next cloud disruptor?
At one point, it seemed that phishing was receding to the status of a minor issue threatening only naïve consumers. However new cybercriminals and phishing techniques have lead this to become a greater concern. Download how to find out how phishing became the No. 1 web threat, and which web security solution can best protect your company.
Building a Strategic Archive
For years, most companies have dealt with the evolving dynamics of data archiving by addressing an immediate need rather than building a long-term strategy. But over time, putting all information on costly storage is likely to be very expensive. This whitepaper explains why it’s time for organizations to start to strategically evaluate archive solutions for capabilities they need, both now and in the future. While no technology is future proof, an archiving solution can make you “future ready.”
Introduction to Storage efficiency technologies
Data is growing at a tremendous rate, and organisations of every type rely on the timely retrieval of information to facilitate transaction and decision making. Processing powers are also expanding, now equipped with storage efficiency technologies that help simplify the many IT challenges that companies are facing. This white paper describes how proper simple storage efficiency features help you leverage daily storage, maximise capacity and performance optimisation, while reducing power consumption and total cost.