A hacker, who goes by the name Comodohacker, claims he can now fake Microsoft updates using stolen certificates. Comodohacker is believed to be an Iranian student who made news recently for compromising and acquiring four certificate authorities from Dutch certificate authority DigiNotar as well as getting CA’s from GlobalSign. In a post to his Pastebin site, Comodohacker claims he has gone further to reverse engineer the Microsoft update mechanism.
Comodohacker writes that the mechanism reads XMLs via SSL that includes the URL, the Microsoft Knowledge Base article reference, the SHA-1 hash of the update file for each update, and then notes how it verifies that downloaded file is signed using WinVerifyTrust API. For its part, Microsoft has said that it has taken steps to blacklist all DigiNotar certificates but they are also rolling out a patch next week to recognize and possibly block specifically signed DigiNotar certificates to counteract the spoofed CA as a step to assist end users.
Windows users are going to need to be more vigilant until Microsoft has secured its update mechanism or risk having malware pushed on to their systems. Meanwhile, other companies with compromised CA’s like Adobe, Mozilla, and Apple are removing DigiNotar from its list of trusted certificates.
Comments are closed.