Skip to content

Bit9

← Back to Blog
14 Sep 2011

Why Comodohacker Won’t Pwn Your Windows Updates

Dan Brown

Comodohacker is the handle that somebody claiming to have recently forged SSL certificates goes by.  He claims, and most believe him to be a 21-year-old Iranian student.  Most also believe him to be a braggart and a bit of a dolt.  He brags about carrying out activities that would be typical for a new Computer Science student.  And now… he claims to have the barrel of a new Windows gun trained at everybody’s head.  Comodohacker claims to be able to push fake Windows updates.  The imagery this evokes is of some guy in his Iranian mother’s basement, ready to unleash digital Armageddon at the push of a big red Staples button.

So why aren’t we in the security industry quaking in our boots?

Because it’s an empty threat.  CH can “reverse ENTIRE windows update protocol” until the cows come home; it’s just not happening.  Here’s a few points to keep in mind.

First, Microsoft says that Windows updates are signed by a Microsoft root certificate.  It’s not clear whether CH actually fully understands the validation mechanism that he exploited with his recent forgery of tickets, but until he compromises Microsoft’s own root certificate by stealing the secret key, Windows machines will simply not accept his updates as valid.

Second, updates don’t get “pushed” to clients.  Microsoft doesn’t have a big list of the IP addresses of all of the systems Cyberspace running their OS.  No, Windows PCs “phone home,” requesting their updates from a Microsoft server.  So, is it possible for CH to insert himself as a man-in-the-middle attacker when you update?  In theory, yes.  But this is a targeted attack, not a global one.  Usually DNS MITM attacks are fairly scoped in terms of time and the number of systems affected.  Plus, I seriously doubt CH’s ability to pull it off.

Finally, imagine what Comodohacker’s purported update description might look like.  Here’s a possibility:

This update of microSoft is good for your computer!  It contains many useful goodnesses that took me very quickly to write.  There are no malwares in this update.  Please update quickly – very important!

“Some people have a way with words… some people not have way”

-Steve Martin

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US