Can you be sure your security patches are genuine?
Published Fri, May 11 2007 8:58 AM
Technorati Tags: Computers and Internet, Annoyances
Microsoft provides security patches to users free of charge and has recommended that we all use "automatic updates". This wouldn't be so necessary if there weren't so many security holes in Microsoft's software.
Of course Microsoft isn't the only software company with buggy software. There are plenty of security flaws in Apple's software, despite the slick "I'm a PC -- And I'm a Mac" ads. Linux isn't exactly free of security flaws either.
Microsoft though has the largest installed base in the OS market, and so naturally it's the biggest target. So what can we do if the Microsoft conduit for security patches is compromised?
While there's no word on whether that's happened yet, it's bound to happen eventually. And now at least a first step looks to have been made. From InfoWorld:
Hackers are using Windows Updates' file transfer component to sneak malicious code downloads past firewalls, Symantec researchers said Thursday.
The Background Intelligent Transfer Service (BITS) is used by Microsoft's operating systems to deliver patches via Windows Update. BITS, which debuted in Windows XP and is baked into Windows Server 2003 and Windows Vista, is an asynchronous file transfer service with automatic throttling -- so downloads don't impact other network chores. It automatically resumes if the connection is broken.
"It's a very nice component and if you consider that it supports HTTP and can be programmed via COM API, it's the perfect tool to make Windows download anything you want," said Elia Florio, a researcher with Symantec's security response team, on the group's blog. "Unfortunately, this can also include malicious files."
Florio outlined why some Trojan makers have started to call on BITS to download add-on code to an already compromised computer. "For one simple reason: BITS is part of the operating system, so it's trusted and bypasses the local firewall while downloading files." ...
Although BITS powers the downloads delivered by Microsoft's Windows Update service, Friedrichs reassured users that there was no risk to the service itself. "There's no evidence to suspect that Windows Update can be compromised. If it has a weakness, someone would have found it by now.
I'm not reassured. I don't believe that software exists that can't be compromised. Remember that absence of evidence is not evidence of absence. One component of the Windows Update system has been compromised. New security flaws are found in Microsoft products all the time.
Is it just a matter of time before Windows Update becomes a new delivery tool for viruses?
Trackposted to Stuck On Stupid, Cao's Blog, Leaning Straight Up, The Bullwinkle Blog, The Florida Masochist, Jo's Cafe, Conservative Cat, third world county, Woman Honor Thyself, The World According to Carl, Pirate's Cove, Blue Star Chronicles, Dumb Ox Daily News, High Desert Wanderer, Gone Hollywood, and The Yankee Sailor, thanks to Linkfest Haven Deluxe.
Trackback URI for this post: http://perrinelson.com/track.aspx?postid=691
Permalink URI for this post: http://perrinelson.com/2007/5/11/691.aspx
Subscribe to this entry's comment feed
David responded with:
I've (mostly) avoided the Microsoft Update "service" for the overwhelming majority of Windows computers I service/maintain. I either do direct downloads of the patches and then roll out network deployments or use BigFix or Shavlik NetChk Protect to download and install patches. The good thing about the latter two is that, to differing degrees, they do a pretty sophisticated job of discerning what different machines need--better than the Me$$y$oft Update process--and even install patches for third party softwares. The Shavlik product (now in version 5.9.X I believe) is by far the more comprehensive, effective and powerful (the scheduling aspects alone are worthwhile, IMO) of the two, but BigFix is still a freebie and is quite capable of being used to maintain a safe, secure Windows computer.
Contemporary Linux boxes benefit from both the "many eyes" bugfix feature of open source software and from some really slick notification and update procedures. I like.
This computer is pretty darned safe. It's running Puppy Linux, which really won't allow infection of the Windows XP Pro installation on the hard drive, as the whole darned OS is running in RAMDisk--although I can save all the changes I make to a PUP file that is inaccessible and inoperable when the computer's rebooted in WinXP (rare). The firewall's pretty slick; Opera throws away everything (except for bookmarks and saved passwords) when I close it; I've installed AVG antivirus for Linux. Haven't FOUND any real spyware threats. ANd besides, Linux is still apparently an even lower danger than Apple OSX to run...
Of course, the BSD base of Apple OSX does have a reputation of being as secure as plain old Unix can be... but that's the base. The stuff Apple has tacked on top of it (like QuickTime, with all its hooks deep into the OS... and the more than a security hole/month discovered so far this year) seems to be its biggest security problem.
Angel responded with:
well I was told years ago not to get "service pack 2" and I still havent!.yikes!
Perri Nelson responded with:
You should at least upgrade to service pack 2 Angel. And "so far" it's still safe to use windows update to get the latest patches.
Leaving your system unpatched opens up altogether too many bad possibilities. I'd hate to see your computer turn into a zombie spamming the rest of us. :-|
Comments to this entry are closed.