Windows 10 May 2019 Update now rolling out to everyone… slowly

Stylized image of glass skyscrapers under construction.

Enlarge (credit: David Holt / Flickr)

To avoid a replay of the problems faced by the Windows 10 October 2018 Update, version 1809, Microsoft has taken a very measured approach to the release of the May 2019 Update, version 1903, with both a long spell as release candidate and a much less aggressive rollout to Windows Update.

That rollout starts today: while previously one needed to be in the Insider Program (or have a source such as an MSDN subscription) to download and install version 1903, it's now open to everyone through Windows Update.

However, Windows users are unlikely to see the update automatically installed for many months. Initially, only those who explicitly visit Windows Update and click "Check for Updates" will be offered version 1903, and even then, they'll have to explicitly choose to download and install the update. This is part of Microsoft's attempt to make Windows Update less surprising: feature updates are offered separately from regular updates, because feature updates take a long time to install and regular updates don't (or at least, shouldn't). This installation experience requires the use of version 1803 or 1809, and it also requires the most recent monthly patch, which is also released today.

Read 3 remaining paragraphs | Comments

Nerves rattled by highly suspicious Windows Update delivered worldwide

People around the world are receiving a highly suspicious software bulletin through the official Windows Update, raising concerns that Microsoft's automatic patching mechanism may be broken or, worse, has been compromised to attack end users.

This Web search, which queries the random-appearing string included in the payload, suggests that it's being delivered to people in multiple regions. The same unexplained and almost certainly unauthorized patch is being reported in a variety of online posts, including this one hosted by Microsoft. The updates appear to be coming directly from servers that are cryptographically certified to be part of Microsoft's Windows Update system.

"Clearly there's something that's delivered into the [Windows Update] queue that's trusted," Kenneth White, a Washington DC-based security researcher, told Ars after contacting some of the Windows users who received the suspicious update. "For someone to compromise the Windows Update server, that's a pretty serious vector. I don't raise the alarm very often but this has just enough characteristics of something pretty serious that I think it's worth looking at."

Read 5 remaining paragraphs | Comments

W32.Flamer: Microsoft Windows Update Man-in-the-Middle

Flamer has a variety of ways of spreading on the local network. One of the methods is to hijack clients performing Windows Update. Three Flamer apps are involved in delivering the rogue update: SNACK, MUNCH, and GADGET.

When Internet Explorer starts, by default it will automatically search for proxy configuration settings. This happens through the Web Proxy Auto-Discovery Protocol (WPAD). Internet Explorer will attempt to retrieve proxy settings (wpad.dat) based on the computer's domain name. For example, if the computer is computerA.group.company.com, Internet Explorer will request wpad.dat from:

  • wpad.group.company.com
  • wpad.company.com

Typically, resolution of these domain names will go to the DNS server. However, if the DNS server does not have records registered, Internet Explorer will also use WINS or NetBIOS for name resolution.

NetBIOS name resolution allows computers to find each other on a local network in a peer-to-peer fashion without a central server. Each computer simply broadcasts its own name to identify itself. Obviously, this is not secure and this is how computers can spoof each other.

SNACK performs a variety of functions, including sniffing NetBIOS requests on the local network. When clients attempt to resolve a computer name on the network, and in particular make WPAD requests, Flamer will claim it is the WPAD server and provide a rogue WPAD configuration file (wpad.dat). NetBIOS WPAD hijacking is a well-known technique and many publicly available hack tools have implemented the technique.

Once a computer that has not yet been compromised receives the rogue wpad.dat file, it will set its proxy server to the Flamer-compromised computer. All its web traffic will now be redirected to the Flamer compromised computer first.

MUNCH is a Web server within Flamer and receives the redirected traffic. MUNCH checks for a variety of queries, including matching URLs for Windows Update.

Hijacking Windows Update is not trivial because updates must be signed by Microsoft. However, Flamer bypasses this restriction by using a certificate that chains to the Microsoft Root Authority and improperly allows code signing. So when a Windows Update request is received, the GADGET module through MUNCH provides a binary signed by a certificate that appears to belong to Microsoft.

The binary is downloaded by the uninfected computer as if it is a legitimate Windows Update file and is executed. The binary is not Flamer itself, but a loader for Flamer. One sample of this binary refers to itself as TumblerEXE.exe.

Tumbler first performs some checks on the network interfaces and system information, including installed security products.

Next, Tumbler contacts the Flamer-compromised computer through HTTP with a URL in this form:

[http://]MSHOME-<STRING>/view.php?mp=1&jz=<STRING>&fd=<STRING>&am=<STRING>&ef=<STRING>&pr=<STRING>&ec=<STRING>&ov=<STRING>&dd=<STRING>

The MUNCH app of a Flamer-compromised computer then replies with itself (mssecmgr.ocx) and Tumbler saves this as %Windir%\temp\~ZFF042.tmp and executes it. This filename may be different in different samples.

Once executed, the computer becomes compromised with Flamer.
 

  1. Clients make WPAD requests through NetBIOS
  2. Flamer spoofs a WPAD configuration file response setting the proxy on the requesting computer
  3. Clients make Windows Update requests that are redirected to Flamer
  4. Flamer responds with a signed binary, Tumbler
  5. Tumbler downloads and installs Flamer