Coffeehouse Thread

11 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Updates for Windows for "exploitable w/o interaction" vulnerabilities?

Back to Forum: Coffeehouse
  • User profile image
    androidi

    (Just a list of such updates would help if I knew it was kept up to date by people who knew enough about the holes to understand whether they can be targeted during the minutes after connecting a public IP machine to internet with a clean official DVD install of Windows that still needs to get and install updates from Windows Update)

    Is there an official cumulative update that can be installed straight after Windows 7 RTM/SP1 that atleast attempts to ensure the installation is patched for known remote-exploitable holes that can come through the network just by trying to connect on the computer if the computer has a public IP?

    Ideally such would be in a fixed location/URL and always offered for every Windows version and SP, even if no known such holes/vulns existed. One could then simply have a process where one downloads the update on another system and installs it locally before hooking up onto the internet.

    eg. Preferably instructions for the process should be this simple:

    1. Download official cumulative update for bugs falling into this category from a known, bookmarkable URL that's guaranteed to stay the same for next decade or two? eg. microsoft.com/critical/w7sp1/

    2. Install it before connecting a clean Windows onto network.

    My current process is to read through every patch description that came since the last time I read through every prior patch description (incase I missed it when the patch was new) and try to guess whether a patch is needed before connecting the machine to internet in order to get the latest updates after a service pack. I have also tried the alternate of downloading every patch and installing them but I'm also targeting less time to install now since I found out that this process makes the install take even 3 times longer than normal on SSD and results multiple installs of old superceded patches. WSUS could probably address this but then I'm spending time with figuring that out vs just letting the computer to spend more time trashing the HDD or pegging the CPU during install. So neither is what I want.

     

  • User profile image
    Sven Groot

    This would've been a valid concern if it was pre-XPSP2. Windows has had an on-by-default firewall since then, so there's no reason not to just let it go online to get updates. Put it behind a NAT router (with UPnP disabled) if you're really worried. No one is going to hack you just by going online if all you're doing is downloading updates.

  • User profile image
    androidi

    If we assume the firewall is bug free, the computer being installed could still be located in a hostile network. Perhaps your government was under pressure from another government with secret courts that could change basic rights by whims of the powers the were being blackmailed by the intermediary bad guys acting on behalf of the agents of the really bad guys who acted on behalf of a powerful president with lots of dough in a tax haven who... (of course all the stuff in the news could be just propaganda by the Ultimate Evil* whose aim is that everyone is too afraid to say what they really think on Internet) So your government could then pressure your ISP to install tools to modify packets coming from Windows Update and other network services, or issue fictional updates.

    There could be bugs related to the firewall, dhcp, dns, arp queries and such that are done on the network when getting the first update. Signature verification issues and bugs in WU, just to name those that have already been patched atleast once if I recall.

    A possible scenario could to have such critical updates with you when you go to install Windows somewhere where the network connectivity was just through say a wifi adapter that served public ip's through dhcp and the network could be presumed to be hostile. Target computer could be laptop with only wifi connection and no trusted ports (usb devices masquerading as something else could carry new descriptor based attacks - I prefer to install a clean system, then use that to install the actual final system).

    It would be best if MS provided a patch to, or a monthly completely patched up Windows 7 SP1 ISO, and the BIOS/EFI would contain a verification to check some key files on the ISO when booting it up, and then of course those verified bits would verify the rest of the ISO while installing. In addition to what I suggested in the op.

     

    * http://wiki.uqm.stack.nl/Ultimate_Evil

  • User profile image
    Sven Groot

    @androidi: But how do you know the critical updates don't still have undisclosed vulnerabilities that the hackers already know about? Or that there isn't simply a backdoor for that government? Or maybe your computer is secretly killing kittens behind your back?

    Best to just encase your computer in concrete and never, ever go outside again.

  • User profile image
    blowdart

    , androidi wrote

    So your government could then pressure your ISP to install tools to modify packets coming from Windows Update and other network services, or issue fictional updates.

    Except of course, even if they hijacked HTTPS, by issuing an cert from a CA on your trusted CA root list Windows Update files are signed. With a different CA. That Windows enforces.

  • User profile image
    ScanIAm

    , blowdart wrote

    *snip*

    Except of course, even if they hijacked HTTPS, by issuing an cert from a CA on your trusted CA root list Windows Update files are signed. With a different CA. That Windows enforces.

    Well there you go.  As long as there's no way possible that the CA process could be spoofed in any way, then we're golden.

    And if there were a way, we'd know about it by now.

     

  • User profile image
    blowdart

    , ScanIAm wrote

    *snip*

    Well there you go.  As long as there's no way possible that the CA process could be spoofed in any way, then we're golden.

    And if there were a way, we'd know about it by now.

     

    I spy sarcasm. But the Windows Updates are signed with the Microsoft update CA. Now flame did hijack this (*sigh*) but that route [pun intended] has been fixed - it managed to get a signing cert which chained correctly. So, serving files signed with a certificate issued by something other than the MS update CA would fail.

  • User profile image
    evildictait​or

    , blowdart wrote

    *snip*

    I spy sarcasm. But the Windows Updates are signed with the Microsoft update CA. Now flame did hijack this (*sigh*) but that route [pun intended] has been fixed - it managed to get a signing cert which chained correctly. So, serving files signed with a certificate issued by something other than the MS update CA would fail.

    I think the word CA is adding confusion here. Windows Update sends signed cab files that have a cert that chains back to the Windows Update root cert, the public key of which is burned into Windows. So a DigiNotar style breach would not affect the integrity of Windows Update.

  • User profile image
    evildictait​or

    , androidi wrote 

    It would be best if MS provided a patch to, or a monthly completely patched up Windows 7 SP1 ISO, and the BIOS/EFI would contain a verification to check some key files on the ISO when booting it up, and then of course those verified bits would verify the rest of the ISO while installing. In addition to what I suggested in the op. 

    Risiculous as it sounds, Windows Update already basically does this, because updates are signed by the WU private key and the public key lives in Windows Update itself, which is an executable signed by the MS signing key and is part of core Windows that can't be swapped out or replaced. This is all enforced by the kernel which is signed and the signature is checked by the loader which is also signed and ITS signature is checked by UEFI as part of secure boot.

    So in a way, your update mechanism does ultimately chain back to the hardware itself.

  • User profile image
    androidi

    @Sven Groot: > Or that there isn't simply a backdoor for that government?

    Clearly I need to get enough storage to download all content in the internet; then I can read it offline without anyone having idea what content I'm really interested in. For this purpose a computer could be setup inside a network cabinet hidden in (a building made of) concrete. Nothing could possibly go wrong with this plan. (was this the hidden agenda or just a perk - the 0.00001% wanted to browse any site without anyone knowing, so instead of browsing through the net, they browse the NSA data-warehouse)

     

  • User profile image
    Sven Groot

    Removed

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.