

Windows Update Begins Installing Malware - electic
http://www.zdnet.com/article/windows-update-intercept-inject-malware/

======
Someone1234
I think the sub-title of the article sums up nicely why this is a non-issue:

> Researchers say Windows machines that fetch updates from an enterprise
> update server not configured to use encryption are vulnerable to an
> injection attack.

And:

> The researchers said if network administrators followed Microsoft's
> guidelines to use SSL by default on the update server, that alone will be
> enough to prevent the described attack.

Essentially if you use WSUS the way it is configured out of the box then
you're golden. You have to misconfigure your WSUS server on purpose, which
exposes you to a MITM attack.

Windows has this constant stream of these, where someone will reconfigure the
system into an insecure state, report how it is exploitable in that state, and
then tech "journalists" will write fear mongering articles about how we're all
going to get hacked.

Three other examples just off the top of my head:

\- "Steal plain text DOMAIN ADMIN passwords from memory!1!!": Requires local
machine admin and reconfiguring the system to enable wdigest for LSA (within
HKLM), and a restart, and then finally having the domain admin login. Only
then can you steal your plain text passwords.

\- "Decrypt Windows passwords in 3 seconds!!!": Requires enabling legacy
hashes and you need complete physical access to the machine.

\- "You can bypass Windows login by replacing this signed executable with this
other signed executable!!!": Requires unrestricted physical access to the
machine (inc. no full drive encryption).

Ultimately a lot of people think these are issues because they haven't given
it enough thought. If it violates the "The 10 Immutable Laws of Security" then
it isn't a security problem[0]. Since if you have unrestricted physical access
then you could theoretically re-write the entire OS to extract plain text
credentials (since inherently you'll have that information somewhere).

[0] [https://technet.microsoft.com/en-
us/magazine/2008.10.securit...](https://technet.microsoft.com/en-
us/magazine/2008.10.securitywatch.aspx)

------
BetaCygni
Insecurely configured system is insecure, news at eleven.

