Page 1 of 1

Offline updater should becom more aggressive in verifying

PostPosted: 10.02.2016, 09:29
by Hamy
when in comes to http , a man-in-the-middle attack is a real concern specially for security related products. users trust WSUS offline to make their PC secure, right after installing a new OS and even before connecting to any network. softwares such as this, should do as much as they can to guarantee the authenticity of the downloaded files and i believe WSUS offline updater, could do more in this area.

For starters, the required bin files (mkisofs.exe , sigcheck.exe , streams.exe , Autologon.exe , etc), should be included in the software. there is no need for them to be checked at each run or to be possibly automatically updated. If there is license issue in including them in the software, the software should verify their hashes after downloading against a pre-defined hash file.

The second issue is with verifying the downloaded updates. Be it a cab file , exe or msu , these files are signed and even though the program checks for a valid signature, this not enough. These files are signed with very specific chain of authorities: Microsoft Root Certificate Authority --> Microsoft Code Signing PCA --> Microsoft Corporation
right now what happens is that as long as there is a valid digital signature of any kind, the program accepts it as valid. and we all know how easy it is to successfully sign a malicious code by requesting your own signing cert from a CA. there are a lot of examples of viruses/malwares with valid signatures.

By checking the update files against the root CA of "Microsoft Root Certificate Authority" which has a very specific an well know sha1/sha256 hash (and is also valid till 2021) , you can guarantee that the file is indeed from Microsoft and no other entity.

A less serious issue, is downloading StaticDownloadFiles through wsusoffline server via http. it sure would make more sense to do the download over https and make wget to verify the certificate.

Best Regards,