Comodohacker: I can issue fake Windows updates
The hacker who breached security at DigiNotar and caused it to release fake digital certificates is now claiming he can exploit Microsoft's Windows Update to issue fake updates.
Following his recent attack against Dutch security company DigiNotar, the hacker known as Comodohacker is now threatening to exploit Microsoft's Windows Update service.
In another message posted on Pastebin last week touting his cyberattacks, the infamous hacker claims that he's able to issue phony Windows updates despite Microsoft's assertion to the contrary.
"I'm able to issue Windows update--Microsoft's statement about Windows Update and that I can't issue such update is totally false," proclaimed Comodohacker. "I already reversed ENTIRE Windows update protocol, how it reads XMLs via SSL which includes URL, KB no, SHA-1 hash of file for each update, how it verifies that downloaded file is signed using WinVerifyTrust API, and...Simply I can issue updates via Windows update! You see? I'm so smart, sharp, dangerous, powerful, etc. huh?"
If Comodohacker were able to compromise Windows Update, then he would essentially be capable of delivering malware to any Windows PC running the service.
Related stories:
• FBI probes Comodo Web security breach
• Comodo hacker says he's protesting U.S. policy
• Dutch firm linked to many more fraudulent Net certificates
• Comodohacker returns in DigiNotar incident
• Second firm stops issuing digital certificates
In an earlier post on its Security Research & Defense blog, Microsoft said it was aware that some of the fake certificates released by DigiNotar were issued for such domains as Microsoft.com, Windowsupdate.com, and Update.microsoft.com. As a result, the company designated all DigiNotar certificates as untrustworthy and issued a Windows security update that can be installed manually and would be automatically installed for all users with automatic updates turned on.
But despite its actions, Microsoft contends that its Windows Update is protected from any threats from false security certificates.
"Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers," Microsoft engineer Jonathan Ness wrote in the blog. "The Windows Update client will only install binary payloads signed by the actual Microsoft root CA certificate, which is issued and secured by Microsoft. Also, Windows Update itself is not at risk, even to an attacker with a fraudulent certificate."
Comodohacker's recent attack against DigiNotar caused the Dutch certificate authority to issue fake Secure Sockets Layer (SSL) certificates for Google, Microsoft, Skype, Twitter, and a host of other organizations. The hacker has also been threatening to release phony certificates for other companies.
SSL certificates authenticate secure Web sites to verify that users are connecting to the intended site. Phony certificates are especially alarming, as they can redirect Internet users to the wrong Web sites, often as a way of delivering malware, and can easily destroy confidence in the CAs (certificate authorities).
Trying to justify his actions against DigiNotar, Comodohacker blamed the Dutch government's failure to prevent the 2002 Srebrenica genocide, a massacre in which up to 8,000 men and boys were killed by Bosnian Serb forces. The hacker earned his nickname after breaching network security for a reseller of security firm Comodo.