Hacker Claiming He Can Exploit Windows Update

A hacker who stole SSL certificates from a Dutch-based certificate authority claims that he can distribute malware through Microsoft's Windows Update.

There's a hacker out there somewhere claiming that he can issue fake updates to Windows-based desktops and laptops thanks to a set of stolen digital certificates. This means he has the potential to pump malware into Microsoft's Windows Update service and infect the entire Windows user base.

Calling himself "Comodohacker," the supposed 21-year-old Iran resident recently took credit for several attacks against certificate authorities (CA) – organizations and companies authorized to issue secure socket layer (SSL) certificates – including one against Comodo in March, and one just recently involving Dutch-based DigiNotar and 531 stolen certificates. It was this latest DigiNotar hack in which Comodohacker retrieved several certificates that could be used to impersonate Microsoft’s Update services.

"I'm able to issue Windows update[s]," Comodohacker claims in one of several posts over on Pastebin. "Microsoft's statement about Windows Update and that I can't issue such update is totally false!”

Sunday Microsoft said that there was absolutely no way the stolen digital certificates could be used to distribute malware via Windows Update.

"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC). "The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued and secured by Microsoft."

Ness also added that in order for an attack to be successful, the hacker must have been issued a digital certificate for the server or domain to which the client is initiating a connection. The attacker must also be able to tamper with the conversation in progress while on the local network, must own or operate the network infrastructure between the victim client and the listening server, must control the DNS server used by the victim's ISP, or influence the victim's choice of DNS server via DHCP responses if a client gets DNS settings via DHCP.

But according to Comodohacker, he has already reversed the entire Windows update protocol.

"How it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and... Simply I can issue updates via windows update! You see? I'm so smart, sharp, dangerous, powerful, etc. huh?"

Tuesday Microsoft retaliated by blocking the now-revoked DigiNotar certificates in a Windows update – a hacker will need an entirely new certificate in order to imitate Windows Update. Meanwhile, Comodohacker says that more is to come.

"Wait for me, you have so much more SHOCKINGS to see from me! From a person who came to this world just 21 years ago! JUST WAIT!" he said.