Blackhat 2015: Microsoft has bungled Windows Server Update Services (WSUS), according to hackers Paul Stone and Alex Chapman, with insecure defaults that let them hijack OS updates.
Attackers that have previously gained admin privilege on a target system can elevate themselves to system-level access by skipping the normal signed update process.
The "exciting look at one of the dullest corners of the Windows OS" was presented at Black Hat Las Vegas this week in the paper WSUSpect: Compromising the Windows Enterprise via Windows Update [PDF].
"This (WSUS) weakness allows a malicious local network-based attacker or low privileged user to fully compromise target systems that use WSUS to perform updates," Context Information Security's Stone and Chapman say in the paper.
"During the update process, signed and verified update packages are downloaded and installed to the system. By repurposing existing Microsoft-signed binaries, we were able demonstrate that an attacker can...(continued)