Hacker News new | past | comments | ask | show | jobs | submit login

I'm worried about friends, family, and small businesses that run Windows with install updates set to automated mode...

Shouldn't Microsoft be signing updates so that redirection attacks don't work?

Edit:

Elaborating on my question; I mean much more like Linux distributions which sign both packages (updates) and the index of those files. Some distributions use multiple hashs/digests to make collision attacks far less likely to succeed.

Such an attack could be either the traffic at layer 3 redirected via router compromise, via some name resolution weakness (possibly even to localhost as a way of malware upgrading from being able to edit the hosts file to having system level services).

The signing of both the update files and the list of updates could offer protection from an attack that would thus need to be valid for all of the signature checks, not just a single check.




What does this have to do with redirection attacks? And who says the updates aren't signed? I would be a bit surprised if they weren't.

Based on the info in the post, I'd guess that this is a test update of some sort and that it was pushed by mistake.

Disclosure: MSFT employee, but no knowledge of what this is about.


> Shouldn't Microsoft be signing updates so that redirection attacks don't work?

Microsoft sign updates and utilise HTTPS.

Given how few users are impacted by this suspect update, it may be the result of malware on their local machine. If malware has root then all bets are off, the signing requirement can be removed.


Why would malware bother to hijack the update system like this? It seems like a lot of work to trick the user into installing something that the malware could just install directly.


I concede this point. Seems like a whole lot of work for little to no pay off.


To convince people to disable automatic updates?


Yeah, I'm sure someone compromised Windows Update as a public service...


I'm pretty sure Microsoft does sign updates. Which means either this is a glitch of some kind, or is being refused/failing installation because it's not signed ... Or, worse case, it means the update signing key has been compromised.


What does 'sign' mean in this context? I hear it a lot and don't understand the mechanism.


It refers to the idea that most asymmetric cryptosystems (which, generally speaking means that each user has a public key and a private key) allow for a user to create a 'signature' using their private key, which can be verified using their public key. See here:

http://stackoverflow.com/questions/454048/what-is-the-differ...


It means generating a signature of the binaries being installed, and having this signature be authenticated by Microsoft (using their signing key).

The signature is distributed alongside the binaries.

I'm not certain if the Windows Update system uses the same Autheticode system used for application binaries, but you can start reading here:

https://msdn.microsoft.com/en-us/library/ms537361%28v=vs.85%...


Think of it as a SHA-1 or an MD5 that is generated using a private key, and can be verified using the public key (and the content of the data that was signed).

It verifies that the signer had access to the private key, and that the data signed by the private key is the same data that you are verifying with the public key.

It's like the other checksums (SHA-1/MD5/etc) with the addition of identity verification (so long as you can trust that the private-public keypair used to sign it is only accessible to parties you trust).



It's a cryptographic mechanism. MS has a private key they apply to each Windows update to mathematically prove A) they're the ones who issued it and B) the content was not modified in transit.

(I am not experienced in cryptography. This explanation might be a little simplistic.)


> it means the update signing key has been compromised.

The odds that parties outside of Microsoft have access to their update signing key is actually seems pretty likely given the Snowden revelations. Consider the Stuxnet distribution strategy -- what a boon it'd be to be able to deploy that sort of machine-specific payload via the built-in update kit.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: