If you use Windows, you depend on Windows Update. You trust it to download and install the latest fixes and patches, which make your system less buggy and less vulnerable to malicious attack.
But what if the attack came from Windows Update? What if cybercriminals found a way to disguise their malware as a legitimate Microsoft update?
A Tom's Hardware article brings us some possibly very bad news. An individual who goes by the nom de hacker Comodohacker, claims that he can issue fake updates that Windows sees as the real thing.
Comodohacker may or may not have been involved with recent thefts of certificate authorities used to corroborate Secure Socket Layer (SSL) transactions. He certainly takes credit for them. More than 500 certificates were stolen recently from DigiNotar; several of these could theoretically be used to fake Microsoft Update.
Microsoft assures us that this cannot be done, and that it's impossible to use stolen certificates for this purpose. In a long and very technical statement, Microsoft employee Jonathan Ness reassures us that "For an attack to be successful, an attacker must have been issued a digital certificate for the server or domain to which the client is initiating a connection. Also, the attacker must be able to tamper with the conversation in progress." This would require the hacker to be on your local network, control your ISP, or find some other form of "man-in-the-middle" access.
Comodohacker thinks otherwise. In a statement on pastebin, he bragged that, "Microsoft's statement about Windows Update and that I can't issue such update is totally false! I already reversed ENTIRE windows update protocol, how it reads XMLs via SSL…You see? I'm so smart, sharp, dangerous, powerful, etc. huh?"
We can hope that his hacking skills are as bad as his writing skills, but we shouldn't depend on it. Whether or not he could do what he claims, you need very good malware protection, such as Trend Micro's Titanium.
This story, "Can This Hacker Really Fake Windows Update?" was originally published by BrandPost.