
Windows 7 Update appears to be compromised? - cyann
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e
======
jimrandomh
This links to a Microsoft support thread in which several users are reporting
a suspicious update distributed through Windows Update. In lieu of a title and
description, the update has 108-character and 24-character base52-encoded
random numbers. In lieu of "more information" and "help and support" links, it
has similarly random base52-encoded domains, which currently do not resolve,
in .gov, .edu and .mil. Searching for the patch title turns up a bunch of
people asking about the same suspicious patch on other sites, all within the
past day. The update is attracting attention because it fails to install.

[http://security.stackexchange.com/questions/101520/weird-
win...](http://security.stackexchange.com/questions/101520/weird-windows-
update)
[https://www.reddit.com/r/techsupport/comments/3mykv1/weird_w...](https://www.reddit.com/r/techsupport/comments/3mykv1/weird_windows_update/)

This does strongly suggest a compromise of the Windows Update servers or of
some bit of infrastructure that connects people to them, but also suggests
that whoever the attackers are, they made a mistake - a successful compromise
executed correctly would not leave so much evidence around. It's quite
possible that they've been compromised for awhile, and this is a buggy update
to the existing malware.

~~~
dpark
"Base52-encoded random numbers" is a rather obtuse way to describe random
letters.

~~~
dragontamer
Base52 means capital letters and lower case letters. Base62 includes numbers
(0 through 9).

We programmers like being specific. Sometimes these sorts of details matter.

~~~
dpark
This detail doesn't matter and is needlessly confusing. "Random upper and
lowercase letters" is exactly as specific and accurate as "base52-encoded
random numbers", but the former is more understandable while the latter is
trying way too hard to sound smart.

~~~
kbar13
look, this is hacker news. the author knows his audience. most people who read
this will know what base52 is or will at least recognize what it might be and
be able to look it up. i dont think it's meant to sound "smart", it's an
accurate and concise description of the randomness

~~~
bitJericho
It wasn't smart since I literally thought he was saying there was encoded
data.

------
eloy
Confirmed that it was a test update: [http://www.zdnet.com/article/microsoft-
accidentally-issued-a...](http://www.zdnet.com/article/microsoft-accidentally-
issued-a-test-windows-update-patch/)

~~~
gauravphoenix
I find it interesting that MS would use following URLs even though it was a
test update
[https://hckSLpGtvi.PguhWDz.fuVOl.gov](https://hckSLpGtvi.PguhWDz.fuVOl.gov)
[https://jNt.JFnFA.Jigf.xnzMQAFnZ.edu](https://jNt.JFnFA.Jigf.xnzMQAFnZ.edu)

~~~
alexforster
Both are well-known TLDs that can't be acquired without verification by the US
government. Presumably the assumption is that these URLs can be guaranteed to
never exist.

~~~
throwaway7767
Then they should be using example.com (or .org, .net , .edu), which are
actually reserved by the standard and guaranteed to never exist.

EDIT: Or, perhaps even better, the .invalid TLD which is also guaranteed to
never exist.

~~~
pbhjpbhj
Wow, MS didn't follow an established standard ... /s.

------
jordigh
Don't panic, it was just a boo-boo:

[http://www.zdnet.com/article/microsoft-accidentally-
issued-a...](http://www.zdnet.com/article/microsoft-accidentally-issued-a-
test-windows-update-patch/)

------
cwyers
If someone has managed to compromise Windows Update (which I doubt seriously
based on what's presented here), why on Earth would they not bother to come up
with text more convincing than the garbage on display here?

~~~
markbnj
Yeah I'd say it's more likely someone or something in the update toolchain
screwed up.

~~~
chengiz
The other option is a deliberate "ethical" hack.

~~~
cwyers
Wouldn't that also call for putting in text that at least makes it clear it's
an ethical hack? The only explanation for that garbage is either lorem ipsit
filler text (something never meant to get out) or the theory buffoon had about
it being a hash collision.

------
JohnTHaller
There is a chance that the machines affected were already compromised by
malware which altered the way Windows Update was working.

~~~
angelbob
Several of the forum comments mention fresh installs. So possible, but fairly
unlikely.

~~~
JohnTHaller
Fresh installs from what media though? "Pre-activated" Windows ISOs are freely
available on any torrent search site with who-knows-what added.

~~~
doubt_me
That is a main issue with people who don't know how to look for the right
ones. But I get my images by matching the MSDN MD5 hashes (I am not on 10 yet,
even though digital river is gone the MSDN images are still out there)

/this forum is a god send

[http://forums.mydigitallife.info/index.php](http://forums.mydigitallife.info/index.php)

------
jimrandomh
Does anyone have a copy of the 4.3MB file that this refers to? If so, please:
(1) submit it to VirusTotal, and (2) post it here.

------
imperialdrive
I've been deploying Microsoft based computer networks for 18 years... this
would nearly top my nightmare list! I can't imagine what the alert level is at
MS offices right now, but I bet they are expending every effort to get to the
bottom of this ASAP :/

~~~
buffoon
Appeared on WSUS as well...

NEVER turn on auto updates on windows. Read all the KBs, then choose to
install, ALWAYS. If you have a corp network, use WSUS and stop all updates and
check them. If the KB is content-free like the new ones, no install. I avoided
the whole CEIP bag of shit and Windows 10 upgrade notification hell thanks to
that.

~~~
moron4hire
Always turn on auto-updates. The likelihood of you missing or delaying an
update and getting hit by an a known exploit is a lot more likely than an
exploit getting through the update system or enabling a new exploit.

~~~
buffoon
No no no no no. I've watched entire networks of machines downed with auto-
updates. Always read, always test.

~~~
moron4hire
It might make sense to pay a guy to make this his job for hundreds of
computers on a corporate network, but there is no way in hell I'm keeping that
close of track of updates on my home computer.

And when was this, over a decade ago? Also, what evidence did you have it was
the auto-update system that caused the outage? Past performance is not a
predictor of future performance.

Seriously folks, turn on auto-updates.

~~~
throwawayaway
auto-updates have goosed more windows systems on me than malware. I'm not even
a sysadmin.

there's been a few comments in the wild saying windows 10 can install without
your permission. it may even be true, a bug.

so yeah I 'seriously' disagree with you.

[https://www.google.de/search?q=crash+tuesday+broken+windows+...](https://www.google.de/search?q=crash+tuesday+broken+windows+update)

scroll back through the years.

~~~
moron4hire
Eye-witness accounts are the least reliable source of evidence.

~~~
throwawayaway
[https://www.google.de/webhp?hl=de#hl=de&q=%22microsoft+updat...](https://www.google.de/webhp?hl=de#hl=de&q=%22microsoft+update+withdrawn%22)

how about confessions?

------
ArtDev
[http://arstechnica.com/security/2015/09/nerves-rattled-by-
hi...](http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-
suspicious-windows-update-delivered-worldwide/)

------
comex
Just to state the obvious, .gov, .edu, and .mil are all restricted TLDs run by
the US. What kind of attacker uses domain names in their attack that they
can't register?

Unless, of course...

But that would be a wee bit obvious.

~~~
xamolxix
> Unless, of course...

Unless the servers are compromised and used as C&C?

------
hodwik
This is probably just a test update that went out by mistake.

If MSFT is anything like where I work, that "payload" is a picture of a cat.

~~~
Zirro
Microsoft _should_ not be anything like where you work. I'm not a Windows-
user, but if I were I would hope and expect that the update mechanism for one
of the worlds most used pieces of software was closely guarded by several
layers of computer-based signing and human approval.

~~~
odonnellryan
There are certainly test environments that these updates are pushed to much
more freely than the production environment. Mistakes happen.

~~~
Zirro
I certainly understand what you are saying, but I must repeat the essence of
my previous post. For something so critical, there should simply be too many
safeguards for any test to make it through all the way to end users.

If a test update really did make it through, it would warrant significant
questioning of the procedures at Microsoft. If a test could get through
without being discovered, then so might malicious code.

~~~
dpark
It was a test update and there will undoubtedly be a review of this.
[http://www.zdnet.com/article/microsoft-accidentally-
issued-a...](http://www.zdnet.com/article/microsoft-accidentally-issued-a-
test-windows-update-patch/)

The fact that a test patch got to this stage doesn't mean the safeguards
aren't in place or that malicious code could have slipped through, though.
Assuming even basic competence, this test update could not have been signed,
and if someone had managed to push malicious code, the same would be true, so
it wouldn't have been installed onto target machines.

------
arca_vorago
Looks more like an internal flub:
"//⁠rr1winwusfs04/⁠c/⁠msdownload/⁠update/⁠software/⁠defu/⁠2015/⁠09/⁠testexe_896e3a62-⁠8954-⁠447b-⁠5a562bd65cc6_d5e430cb05ee8a627ee6d811da8d7c4ccea57f4b.exe"

That being said, that something like this could happen should raise lots of
questions about the amount of oversight on updates hitting windows, and the
general security of such systems. I'll wait for an official response or a
reverse engineer before I decide what's going on here.

------
MichaelGG
I'd be surprised if an attacker would waste a compromise with something
obvious. Perhaps it's some testing thing that wasn't supposed to go out.

~~~
poizan42
Or maybe it has been exploited for a long time without anyone noticing it, and
now the attackers screwed up?

~~~
politician
Or a recent update to the infrastructure introduced a breaking change in a
previously working malware package.

------
Animats
Where's Microsoft on this? This is on two news outlets as well as HN.
Microsoft PR needs to issue a statement in the next hour or two, even one that
just says they're investigating the issue, or it will be on the evening TV
news.

~~~
rtkwe
[http://arstechnica.com/security/2015/09/nerves-rattled-by-
hi...](http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-
suspicious-windows-update-delivered-worldwide/)

It's already done. About 5 hours after the post was first opened on the forum.
There's also an article on ZDNet.

[http://www.zdnet.com/article/microsoft-accidentally-
issued-a...](http://www.zdnet.com/article/microsoft-accidentally-issued-a-
test-windows-update-patch/)

------
solidangle
Could it be a man in the middle that tries to install updates that aren't
signed by Microsoft? It reminds me of this:
[http://www.leviathansecurity.com/blog/the-case-of-the-
modifi...](http://www.leviathansecurity.com/blog/the-case-of-the-modified-
binaries/) .

------
blinkingled
Not seeing anything on my Win7Pro SP1 VM - last update was 4.3MB VC++ 2008
Security fix - MFC applications being vulnerable to DLL planting due to MFC
not specifying the full path to system/localization DLLs.

~~~
pyre
> 4.3MB

Interesting that the update in question is also 4.3MB?

~~~
blinkingled
Right, that's why I brought it up - it also relates to localization which may
or may not be related. But interesting none the less.

------
flyinghamster
I haven't seen any randomly-named updates on my system - but I had earlier
ripped out all the telemetry and Windows 10-related crap (KB2952664,
KB3021917, KB3035583, KB3068708, KB3075249, and KB3080149) and marked them
hidden. I've also set my update policy to notify-only.

Now the spy updates are not hidden, and marked as "Important." They're bound
and determined to force this crap down our throats. Bastards.

"Because f*ck you, that's why." The rallying cry of the corporate world.

~~~
listic
Could you please elaborate on how you did that?

~~~
flyinghamster
Note this is Windows 7.

I uninstalled each of those KBs manually from the "Installed Updates" screen,
then changed the update policy. I used to use "download and install manually"
but now I'd prefer only being notified, and THEN deciding whether or not I
want to download whatever is offered. I then re-ran the check for updates, and
hid the offending KBs.

That was earlier this month. After reading this article, I decided to have a
look and see if there was anything fishy in my update history (beyond the
listed KBs that I don't want). Nothing there, at least, but my hidden updates
were un-hidden (along with Silverlight and Skype, two more "do not want"
things that I always hide).

------
gizmodo59
Can anyone shed some light on this?

------
ComodoHacker
Too many "tests" this month, I'd say. Test cert, test update... Let's hope
something worse like "test nuclear strike" won't follow.

------
acqq
And the same company doesn't allow the users of the Windows 10 Home to review
the updates, instead, the Windows 10 Home updates always download and install.

------
LinuxBender
Could it be that older versions of windows (2k3 for example) might allow this
update to be installed? Has anyone tested this in a sandbox?

------
mtgx
Microsoft sending spyware again?

------
mjevans
I'm worried about friends, family, and small businesses that run Windows with
install updates set to automated mode...

Shouldn't Microsoft be signing updates so that redirection attacks don't work?

Edit:

Elaborating on my question; I mean much more like Linux distributions which
sign both packages (updates) and the index of those files. Some distributions
use multiple hashs/digests to make collision attacks far less likely to
succeed.

Such an attack could be either the traffic at layer 3 redirected via router
compromise, via some name resolution weakness (possibly even to localhost as a
way of malware upgrading from being able to edit the hosts file to having
system level services).

The signing of both the update files and the list of updates could offer
protection from an attack that would thus need to be valid for all of the
signature checks, not just a single check.

~~~
steven777400
I'm pretty sure Microsoft does sign updates. Which means either this is a
glitch of some kind, or is being refused/failing installation because it's not
signed ... Or, worse case, it means the update signing key has been
compromised.

~~~
zappo2938
What does 'sign' mean in this context? I hear it a lot and don't understand
the mechanism.

~~~
mavrc
It refers to the idea that most asymmetric cryptosystems (which, generally
speaking means that each user has a public key and a private key) allow for a
user to create a 'signature' using their private key, which can be verified
using their public key. See here:

[http://stackoverflow.com/questions/454048/what-is-the-
differ...](http://stackoverflow.com/questions/454048/what-is-the-difference-
between-encrypting-and-signing-in-asymmetric-encryption)

