Patch Tuesday Remains an Insecure Undertaking
Today I decided to check to see how Windows updates actually make it from the Windows Update server to my computer when downloading these manually and discovered that Transport Layer Security (TLS) https encryption is not used during the manual download process. This leaves the update process insecure, opening the way for our own government or a rogue hacker to inject bad certificates or other malware into the update process.
The website that gives you the option to browse and pick the packages is using effective https TLS encryption, but unfortunately, when you actually start the download, it reverts to an unprotected connection, leaving the process vulnerable to packet injection. If Microsoft included the SHA1 hash value (3BC0210AA8B3E6FF99C876C8DF45D3D6900C6F32 per my calculations) of the download package on the page pictured below, users could at least perform a manual validation and comparison of the hash of the download package as received to compare against the securely published hash value from Microsoft and validate that they received an unaltered package from Microsoft.
If you right click on the download file link, you can copy the target URL and paste it into your browser and you will see that the download actually initiates via the following hyperlink.
Why Microsoft doesn’t use a secure https Content Distribution Network leaves much room for speculation. It is possible to use effective https and a CDN. I think we need to consider going back to monthly updates on disk media to prevent Man In The Middle (MITM) code injection attacks, or at least properly secure software update connections with TLS 1.3 encryption.
Microsoft isn’t alone in their insecure update process.
Adobe Acrobat, perhaps the most widely distributed add-on software package for businesses, fails to properly secure their download website. Installing McAfee Security as part of the following download process could actually be creating a security risk on endpoints, given the insecure delivery channel.
The SSLLABS.com report I ran today against the https://get.adobe.com domain received a much less than perfect score due to Adobe’s continued usage of insecure cipher algorithms that are vulnerable to MITM attacks. https://www.ssllabs.com/ssltest/analyze.html?d=get.adobe.com
This server supports weak Diffie-Hellman (DH) key exchange parameters, which leaves the download process for adobe acrobat vulnerable to MITM attack and exploitation. More on this at https://weakdh.org/
The RC4 vulnerability has long been known about, yet many major websites continue to support it leaving their visitors subject to cyber attack by many different entities.
It is time that we all demand these vendors step up to the plate and lock down these vulnerabilities. I can only speculate that certain three letter agencies have asked some of these offenders to continue to use weak and vulnerable encryption so that targets can be surveilled easily.
Recent reports by Canadian organization The Citizen Lab indicates that insecurities relating to popular file downloads are being exploited by government agencies to compromise their targets.
“Targeted users in Turkey and Syria who downloaded Windows applications from official vendor websites including Avast Antivirus, CCleaner, Opera, and 7-Zip were silently redirected to malicious versions by way of injected HTTP redirects. This redirection was possible because official websites for these programs, even though they might have supported HTTPS, directed users to non-HTTPS downloads by default. Additionally, targeted users in Turkey and Syria who downloaded a wide range of applications from CBS Interactive’s Download.com (a platform featured by CNET to download software) were instead redirected to versions containing spyware. Download.com does not appear to support HTTPS despite purporting to offer “secure download” links.”
Adobe Acrobat would be a prize compromise target for a nation state that wanted to compromise most U.S. businesses, since the software has wide spread distribution. I have still been trying to understand how rogue certificates are making their way on to windows 10 computers, and suspect that the Adobe update agent may play a role, given the observed insecurities with Adobe’s download connectivity for obtaining software.
Compromise Adobe, own the World’s Computers!