Re: [Full-disclosure] Recent claims that windows update is broken




For the record, no. Windows Update doesn't just depend on
WinVerifyTrust,
it also calls CertVerifyCertificateChainPolicy with
the CERT_CHAIN_POLICY_MICROSOFT_ROOT flag, documented here:

http://msdn.microsoft.com/en-us/library/aa377163(v=vs.85).aspx




By your logic there would be no exploits just because the documentation
writes so.


Nothing's stopping you from hooking CertVerifyCertificateChainPolicy and
seeing for yourself :) See also:

http://twitter.com/#!/thierryzoller/status/112240979079204864

@thierryzoller: @dakami that finally explains why i didnt succeed in mitm it
few years ago



I bothered to ask mainly for these reasons:

1. It is unclear to me what collection of private keys/certs Comodohacker
has


He's been hitting certificates that have public interfaces, because as we
know, most public interfaces are terrible.

I do not expect the Microsoft Root to have a public interface.


2. From thereg article:
Microsoft declined to comment.


Microsoft commented rather clearly here:

http://bit.ly/q0JpIT

Attackers are not able to leverage a fraudulent Windows Update certificate
to install malware via the Windows Update servers. The Windows Update client
will only install binary payloads signed by the actual Microsoft root CA
certificate, which is issued and secured by Microsoft. Also, Windows Update
itself is not at risk, even to an attacker with a fraudulent certificate.

Obviously the guy's got all sorts of illicit access. Just probably not
this.


--
georgi

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: MS Windows Component Publisher wants to install something on my PC
    ... It sounds like the latest release of the Windows Update Agent was installed along with what is known as a Root Certificate. ... " A public key certificate, usually just called a certificate, is a digitally signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. ... Yesterday at the Windows Update site, I was asked to install an update to the Windows Update software. ...
    (microsoft.public.windowsupdate)
  • Re: Cant Individualize WMP 10
    ... Windows Update site, WMP/DRM has to fail too because it's trying to use some ... See http://zachd.com/pss/pss.html for some helpful WMP info. ... This causes the scan process to fail. ... You mentioned my local certificate store might be out of date or out of ...
    (microsoft.public.windowsmedia.player)
  • Re: The update site is messed up again - (0x800C0008)
    ... verify that This certificate is OK appears under Certificate Status." ... > "George Hester" wrote in message ... I don't believe I have accessed the Windows Update site since ... > check the BIOS next. ...
    (microsoft.public.windowsupdate)
  • Re: The update site is messed up again - (0x800C0008)
    ... A day later I tried getting into windows update and noticed the 800C0008 issue. ... > "George Hester" wrote in message ... > I was given a certificate notice and asked if I wanted to install. ... >> The difference being they update OK with the expired certificate. ...
    (microsoft.public.windowsupdate)
  • Re: crypt32 - EventID 11
    ... Hi there - did you ever find the reason behind this error in the event log ... No - how do I find this logging for Windows Update? ... it seems to be a problem with the certificate. ...
    (microsoft.public.security)