WSUS Vulnerable to Man-in-the-Middle Attack

Many small businesses and organizations use Microsoft's WSUS (Windows Server Update Services) to deliver updates to PCs throughout the organization. This service was introduced in 2005 as an improvement upon the older SUS (Software Update Service) product, which debuted 2002. Corporate IT can run its own server to distribute Microsoft updates inside the network, and can use Group Policy to point all the organizational PCs to download updates from there instead of directly from Microsoft. This allows IT to determine which updates are installed and when, allowing for testing and validation prior to patch deployment. While WSUS does not make for a complete organizational patch management solution, it meets many organizations' biggest needs at an attractive price (free).

Like anything else in a corporate network, however, WSUS can become a liability if not configured securely. In fact, given that it is trusted to distribute software for installation throughout the network, an insecure WSUS service can lead to a massive security failure. In a presentation at Black Hat in Las Vegas, Paul Stone and Alex Chapman of Context Information Security in the UK showed how an attacker could cause a WSUS server to distribute a malicious file.

This attack is made for more difficult if the WSUS server is set up to use SSL in fetching update information. This is not the default, but is not a very difficult feature to set up. Organizations using WSUS are urged to configure SSL in their WSUS deployments if they are not already using it. Microsoft provides detailed instructions for doing so here: https://technet.microsoft.com/library/hh852346.aspxf=255&MSPPError=-2147217396#bkmk_3_5_ConfigSSL

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more