Connect with us

Hi, what are you looking for?



Default WSUS Configuration Puts Organizations at Risk: Researchers

Use of SSL Prevents Hackers from Abusing Windows Server Update Services (WSUS)

LAS VEGAS – BLACK HAT USA 2015 – Organizations that fail to configure Windows Server Update Services (WSUS) to use SSL are exposed to cyberattacks, researchers have warned.

Use of SSL Prevents Hackers from Abusing Windows Server Update Services (WSUS)

LAS VEGAS – BLACK HAT USA 2015 – Organizations that fail to configure Windows Server Update Services (WSUS) to use SSL are exposed to cyberattacks, researchers have warned.

In a presentation last week at the Black Hat security conference in Las Vegas, researchers from Context Information Security demonstrated how Windows Update, and particularly WSUS, can be abused in attacks aimed at corporate networks.

WSUS is designed to allow IT administrators to fully manage the distribution of updates to the machines in their organization’s network. WSUS relies on SOAP XML calls to perform updates.

The WSUS configuration wizard in Windows Server 2012 advises users to utilize SSL with the service once the system has been set up. However, since SSL is not enabled by default, experts believe a “significant number” of WSUS deployments don’t use SSL.

The Windows Update feature is designed to accept only packages signed by Microsoft, which prevents attackers from modifying the files without invalidating their signature. However, experts discovered that a malicious actor can modify the update metadata and create fake updates.

Since there is no specific signing certificate for Windows updates, any file signed by a Microsoft certificate authority (CA) is accepted. According to researchers, a man-in-the-middle (MitM) attacker can cause a client to run any Microsoft-signed executable by intercepting and modifying SOAP requests between the client and the WSUS server.

Advertisement. Scroll to continue reading.

One way to launch attacks is by abusing CommandLineInstallation, an update handler that allows an executable file to be downloaded and run with arbitrary arguments. One signed executable tested by experts is PsExec, a Sysinternals utility designed for executing processes on remote systems.

“By injecting an update that uses PsExec, the update XML can specify any arguments for PsExec, therefore allowing the attacker to run arbitrary commands,” Context wrote in its research paper.

Since PsExec is often abused by malicious actors, some security solutions flag it as a hacking tool, which is why researchers have attempted to find other executables signed by Microsoft that could be used in attacks. One alternative to PsExecu is BgInfo, a Sysinternals utility designed to display information about a device (e.g. name, IP address, service pack version, etc.) on the desktop background.

BgInfo can be configured to display custom fields with the aid of VBScript files. Attackers can use a VBScript file hosted on an unauthenticated Windows share to execute arbitrary commands on a system, Context said.

“It’s a simple case of a common configuration problem,” said Paul Stone, a senior researcher at Context. “While Microsoft does not enforce SSL for WSUS, it presents the option and most companies will go through this extra stage to use HTTPS. But for those that don’t it presents an opportunity for an administrator to compromise complete corporate networks in one go.”

Microsoft is aware of the issue and advises customers to follow best practices in order to protect themselves against potential attacks.

“Security IT professionals can protect against this man-in-the-middle attack by configuring Windows Server Update Services to use Secure Socket Layer (SSL), which is a well-documented best practice. More information about best practices for WSUS security can be found here,” a Microsoft spokesperson told SecurityWeek.

Researchers noted that Microsoft could implement further mitigations to protect users.

“Using a separate signing certificate for Windows Update would increase protection and the update metadata itself could be signed by Microsoft to prevent tampering,” said Alex Chapman, a senior researcher at Context. “Signing the tags that contain the main detail of the updates with a Microsoft certificate would avoid the necessity of setting up a trust relationship between the client and WSUS server.”

In addition to the WSUS security issues, researchers raised concerns about the thousands of third-party USB drivers that can be installed via Windows Update. According to experts, low privileged users could install these drivers, which might be plagued by vulnerabilities that can be exploited for malicious purposes, through the Windows Update service by plugging in a USB device.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.