Comments on: ISR-evilgrade – Inject Updates to Exploit Software

By: Morgan Storey

Morgan Storey — Mon, 01 Sep 2008 10:33:09 +0000

@Navin: Well yes windows updates is insecure, but have a look at Redhat, its key was compromised, and a few packages signed with it. A lot of Linux package managers (except apt I am pretty sure) have been shown to install an older (vulnerable) version of a package over an existing newer package, so the same dns redirect would work there, as long as the repo’s gpg key was trusted, but how many users would just click continue…

By: Navin

Navin — Mon, 01 Sep 2008 09:55:38 +0000

+1
c’mon its like a holy grail for a dark-hatter…the ability to infect millions of people at a go!! Windows Update seriously, as Morgan pointed out, shows how insecure Windows is compared to other OSes

By: d347hm4n

d347hm4n — Mon, 01 Sep 2008 07:42:43 +0000

Was wondering when a tool was going to come out to use this P.O.C.

By: Morgan Storey

Morgan Storey — Sun, 31 Aug 2008 00:01:11 +0000

well I decdied to check a bit how windows updates works, cause I was sure it is http.
I google, no mention of any internal signing process.
Next step a quick netstat. It is plain http traffic, as I originally thought. Makes me feel all safe and warm… sarcasm doesn’t present well on the internet, but yikes I am glad I have moved away from windows.

By: lyz

lyz — Sat, 30 Aug 2008 12:09:42 +0000

Windows update crack prolly just in the making.. lol

By: Morgan Storey

Morgan Storey — Fri, 29 Aug 2008 11:24:11 +0000

Thanks for the mention… Nah I am kidding. It is an awesome little proof of concept, I am wondering why they aren’t including windows updates. I am pretty sure from what I have seen it is only http (not https), so it could be broken as well in the same manner, anyone have a link to prove me wrong?