Comodohacker Claims Windows Update Compromise

Tuesday, September 13, 2011



Following the breach of certificate authority (CA) Comodo last March, a rambling statement in broken English that was posted on Pastebin is purported to be from a lone Iranian hacker who claimed responsibility the attack.

The supposed lone-operator, who dubbed him or herself "Comodohacker", said in the statement that the attack was in retaliation for the release of the Stuxnet virus that damaged equipment at Iran's uranium enrichment facilities.

The validity of the Comodohacker statements were called into question, and it is quite possible that they were crafted in attempt to cover up the involvement of the Iranian government. Comodo officials are convinced the attack was initiated and supported by the Iranian government.

Then, two weeks ago, a falsely issued Google SSL certificate from DigiNotar had been discovered, and early reports indicated that the bogus certificates may have been part of a ploy by the Iranian government to perform Man-in-the-Middle (MitM) attacks and gather intelligence on Iranian opposition groups.

Digital certificates are used by internet browsers to recognized legitimate websites and protect surfers from inadvertently exposing themselves to malware, phishing scams, impostors and spoofed landing sites.

According to a report in SoftPedia, Dutch CA DigiNotar may have issued hundreds of rogue digital certificates aside from the Google certificate discovered.

Now the Comodohacker is back, posting a statement on Pastebin claiming the ability to compromise the Windows update system, according to a report by Steve Ragan of The Tech Herald.

“I’m able to issue Windows updates—Microsoft’s statement about Windows Update and that I can’t issue such [an] update is totally false. Simply I can issue updates via Windows Update," Comodohacker posted on Pastebin.

“I already reversed ENTIRE Windows update protocol, how it reads XMLs via SSL, which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API,” the post stated.

Microsoft remains confident that the system is secure, even with the flood of bogus certificates in the wild.

“Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers.. The Windows Update client will only install binary payloads signed by the actual Microsoft root CA certificate, which is issued and secured by Microsoft,” Microsoft stated in a corporate blog.

If the system were compromised, the potential impact to security for systems running Windows could be significant.

"Although Microsoft remains staunch in its belief that Windows Update cannot be circumvented 'even to an attacker with a fraudulent certificate', hundreds of millions of unwitting users could face a flood of malware if Comodohacker is able to make good on the claim," Ragan wrote.

Possibly Related Articles:
SSL malware Windows Digital Certificates hackers Comodo Critical Patch Updates DigiNotar Comodohacker
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.