What is Digg?77 Comments
- remccain, on 10/11/2007, -4/+91Buried as inaccurate.
1. IF a 'hacker' gains access to your system
2. THEN the 'hacker' could decide to use BITS to download packages other than what MS intended.
it is the same as saying that;
1. IF a burglar gains access to your house
2. THEN the burglar could use your phone to call his buddies over to loot.
I use Ubuntu Linux, not windows, but I couldn't stand by and see inaccurate BS spread. BITS is perfectly safe as long as your system is not compromised. Get a good firewall (zone alarm), antivirus (avast!) and antispyware (superantispyware) and you should be just fine. - cptchaos, on 10/11/2007, -1/+51"Say you click that file attachment in an email from an unknown source, expecting to see compromising photos of a young starlet. Turns out there's no photo, so you shrug and move on."
so in other words: you are an incredible dumb superidiot and deserve to be hacked. - HUKI365, on 10/11/2007, -6/+48They saw it coming because OBVIOUSLY if your computer is hacked, the hacker will can and will use any number of devices to "download" extras from the mother ship. It just happens that Windows Update is one means of downloading data without very much user input.
Theoretically OSX and Linux could be compromised the same way. Bogus commands are fed into the update software which then downloads the malicious data.
The user still has to have an infected computer before this procedure could be used. - fkr3, on 10/11/2007, -3/+28Apparently once they have your house keys they can use your toilet too.
- BlackOp, on 10/11/2007, -23/+48I don't work in IT and I saw this coming.
- j4200, on 10/11/2007, -6/+30Problem is, it still requires that a user clicks on an email attachment or the such. So again it's not microsoft's fault, as symantec loves to pin it on, but their clientel's fault. This is not a window's exploit at all. It's just a way that hackers are using to transfer files once they're already in the machine in the first place. Without user stupidity going on, a windows box with updates has a very very low chance of being compromised.
Digg me down.. it's all been said - inactive, on 10/11/2007, -22/+45Did ANYONE who works in IT not see this coming?
- ImperatorTerrae, on 10/11/2007, -3/+20I think if you're being hacked, you have bigger problems to worry about than your windows update DLer (i.e. personal security, bank notes, portfolio info, etc.).
- bIuebonics, on 10/11/2007, -0/+17@r00tus3r
actually, it's harder to get a windows system infected than you actually think it is, or at least i thought i was. my cousin and i tried an experiment with a fresh sp1 install of xp with no firewall. we went on a rampant web romp through porn sites gallore, even goggle.com and only got minimal spyware. we tried crack sites and, still, no bsod or bot zombie pc yet. it wasn't until we installed bearshare and started downloading stuff like porn.exe and nudeteen.mpg.exe that we actually got real trojans. all in all it took around 2 hours before the computer was entirely obliterated. we could have cut down a lot of time by just going straight to bearshare, but with all the stories about "x number of seconds before windows gets taken over" and from what i've seen doing computer repair (which today is 99% spyware and virus removal) i assumed we'd have the computer down within at least 30 minutes (and that's TRYING to get the computer messed up). of course, this makes me wonder even more wtf those people are doing who, after you fix their computer today, are calling you a couple days after you cleaned out their system complaining about ***** and are infested with virus and spyware.... freeteenpornyoungxxx.exe is the very first sought out file for some people? - Zephiron, on 10/11/2007, -2/+17Sorry but the correct term is "download".
They are in control of your machine, and use the Windows Update in your machine to download more crap to your computer.
So you are not only wrong, but you're also an *****, calling the other person an idiot when in fact the idiot is you! - clinko, on 10/11/2007, -0/+15This has NOTHING to do with windows update. It's just using an api that windows update also uses.
BITS is an api people have been using for years in .NET. Here's a how-to from microsoft from early 2003:
http://msdn.microsoft.com/msdnmag/issues/03/02/bits/
It's not anything special. It's the equivelent of a low-priority cpu thread for http over a network.
Just because an API is used doesn't mean the API is the problem.
=====
How's this for a news story:
An executable that plays videos, uses the youtube API, and formats your PC.
WHAT?! A YOUTUBE VIRUS!?! YOUTUBE IS THE DEVIL! RUN!!!!!!!!!!!!!!!!!!! - theboohi, on 10/11/2007, -1/+15Probably, because using BITS in this way is the same as using any other method to get malicious code after the machine is infected. BITS is basically just a smarter version of wget, so this article is making a story out of nothing.
Once a machine is infected to the level where an attacker could use BITS (or anything else), it doesn't really matter how they are doing it, you are screwed already. - nreynolds, on 10/11/2007, -4/+16wow.... there's no way you're not going to be buried by 7 (pacific time)
- msjgriffiths, on 10/11/2007, -1/+12Don't be ridiculous.
Newsflash: Windows has a download manager built into the operating system that Windows Updates uses. It's called BITS, and operates at a lower network priority so downloading updates doesn't disturb your internet browsing.
Newsflash: Malware installed on your computer can use parts of the operating system and screw around with you.
The only 'news' here is that firewalls don't check the traffic through BITS. That's a firewall problem - and blame Microsoft for not doing it; their XP firewall doesn't check ANY outbound traffic, not sure if Vista's two-way firewall checks BITS - but it isn't a problem with Windows. It's a problem with your firewall.
This is hardly an earth-shattering exploit. - D3koy, on 10/11/2007, -4/+13"Windows Update" is doing the downloading, Windows Update is not uploading anything....The title is correct
And in related news, you are a douche - tito13kfm, on 10/11/2007, -2/+10It appears you are also infected with the "Pretentious *****" virus. You can cure yourself of this by taking your head out of your ass.
- pathy, on 10/11/2007, -3/+10"Gaining access to the vast majority of users's computers is way easier than breaking into their house. Even I can do that. As for breaking into people's houses, I neither have the inclination nor the time.",
That's a joke, right? - WorldGroove, on 10/11/2007, -5/+12C: \ WINDOWS \ system32 \ drivers \ etc \ hosts
- vwvwvw, on 10/11/2007, -1/+8So we're blaming the medium? The transaction still has to be initiated from the client, which at that point the machine is already compromised.
- j4200, on 10/11/2007, -1/+8Well, if you can manage to run anything on Vista without it saying "Excuse me would you like to do this?" then sure a hacker could get in and use BITS to bring in more tools under the radar. AFAIK UAC hasn't been compromised yet. So unless the person is even more of a retard and is told this image is actually a program looking to install *****, then you're homefree in Vista
- shoonya, on 10/11/2007, -1/+8buried. Its inaccurate. BITS is just an api to help you write programs that can update themselves/download in the background with auto-resume for broken downloads. Its actually a really good thing for windows applications.
/if somebody used a chair to bang another person to death, doesn't mean we should stop using chairs and switch to sofas instead :p - j4200, on 10/11/2007, -1/+8Lol I love that a security blog is talking about the very behavior that compromises machines, as if it were normal everyday behavior that is expected to happen.
r00tus3r - you get viruses often don't you? I run an xp machine and haven't had a viri run amok since years ago when my ex would actively use my machine. Idiot's can't cut through the ***** hackers use. People who realize hacker's spew alot of ***** online know how to spot it. - enkafan, on 10/11/2007, -0/+6I've used BITS before to perform downloads for some work for my company for things like updates and the such. It is a nice API. I'm not shocked hackers are using a library that makes writing reliable download code easier, I'm just surprised it took so long. Microsoft released a ton of code showing how ISVs could use the library in their own apps so it's not like this is something hackers would have to reverse engineer. Hell, the author linked to the MSDN article on how to use it.
As to the sensationalism of accusing Windows Update for distributing viruses because it uses this library, well, I bet they are also using other Windows APIs used by Calculator or Minesweeper. Maybe I can look forward to the article titled "Hackers use Minesweeper to execute malicious code."
I also like the authors opinion that Microsoft's coding libraries should be locked down to only trusted sources. Yeah, maybe they should also lock down the windowing library to only Microsoft so hackers can't display anything on the screen. Or maybe lock down the IO libraries to Microsoft so hackers can't write anything to disk. Yeah, I'm sure that would go over well.
Buried. - ksponge, on 10/11/2007, -2/+7Wow an article that attacks windows with more yawn inducing *****. Quick! Vomit up some Mac and Linux on it and we are all set!
- j4200, on 10/11/2007, -1/+5I suspect that a hacker wouldn't actually point the download to an address at his location. Therefore he would be giving a command for the person's machine to download files from a remote location.
- skinfitz, on 10/11/2007, -0/+4BITS != Windows Update - buried as inaccurate.
- j4200, on 10/11/2007, -1/+5Because the writer is about as smart to network security as the writers for that movie. And I imagine it's one of his favourites as well
- j4200, on 10/11/2007, -3/+6I seem to recall linux gets regular security updates as well. What's the difference?
Disclaimer: I dual boot and use both in different environments regularly. - thenativeraver, on 10/11/2007, -1/+4"If you want a seriously righteous hack, you should score one of those Gibsons..."
Why, oh why did they have to use that picture... - redxii, on 10/11/2007, -2/+5Why does malware need BITS to download something?
IANAP, but I'm absolutely positive you don't need BITS to enable your program to download something from the interweb. You just need a TCP/IP stack, no? - Philluminati, on 10/11/2007, -4/+6What if it's embedded in the HTML or on the web? Can it infect that way or does it only exploit Windows Picture Viewer (or whatever)?
- msjgriffiths, on 10/11/2007, -2/+4You could turn off the BITS service, but unless diabling Windows Update disables the BITS service (and I don't think it does), it won't do anything.
You should be find if you're running any sort of virus/malware scan.
And this is a Windows service that operates as a download manager, not a clear exploit. - bradleyland, on 10/11/2007, -0/+2"Gaining access to the vast majority of users's computers is way easier than breaking into their house. Even I can do that. As for breaking into people's houses, I neither have the inclination nor the time."
Tools and skills required to "break in" to a PC:
Computer, internet connection, lots of computing experience, possibly some programming experience
Tools and skills required to break in to a house:
3rd grade education, crowbar - grumpyrain, on 10/11/2007, -1/+3I imagine this sort of malware would need to stuff around inside the hosts file to trick BITS to connect to some other malware server. UAC will obviously prompt you as soon as it tries to do that.
- parax, on 10/11/2007, -1/+3That's the first thing that popped in my head, what a convenient leap of logic. One minute I'm updating windows, next minute apparently I'm opening email attachments like a madman. What kind of hacker would even need to use a BITS exploit if the target is already opening/executing email attachments.
- AutoShovel, on 10/11/2007, -0/+2From the article, BITS is a service. It is normally allowed to go through the firewall. The issue is that something other than Windows Update can request that BITS transfer some data and all yor firewall sees is that BITS is doing some work that could be legitimate so it passes OK. The correct behaviour is that the user should be asked first
- ilgaz, on 10/11/2007, -0/+1It won't likely happen on OS X. softwareupdate tool, actual command doing that job on OS X is in /usr/sbin (one of most protected places on any Unix) and its configuration is also owned by root unless it isn't hard coded by Apple inside actual binary (which is open source btw). It requires someone sitting on your chair, knowing your password, enabling root user and I am sure that kind of guy won't care about this new fashion thing called Internet and take your Desktop physically to his place :)
Checking its manual, it doesn't even have argument to decide what software update site to check. Even if you are fooled by some guy to launch Terminal, you won't get malware at least via software update of OS X. - OBKenobi, on 10/11/2007, -0/+1[quote]Did ANYONE who works in IT not see this coming?[/quote]
Competent IT staff do NOT use auto update. Updates are rolled out on the intranet/network AFTER they have been tested. Here is one reason why:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019218&intsrc=hm_list
That's not the first time autoupdate has caused unexpected problems for users who blindly download all updates. - ilgaz, on 10/11/2007, -0/+1It is obviously bad luck that such a important security issue is posted to "Windows" section.
Next time posting anything regarding security of any OS, post it to "Security" section of Digg. You will be saved from half of the fanboy junk and bury. It is exactly same deal for OS X or even Linux too. - ilgaz, on 10/11/2007, -0/+1Pretty same idea worked for Topmoxie 1.0 . It was using built in Windows java so idiotic firewalls like Symantec would let it pass since they see java, a system process is connecting to net.
This happens in 2001 until it is leaked to popular media such as Wired by people. 5 years passed for God's sake and here is another abused system process. They would DIE if they prompted user for couple of additional applications internet access or code the framework in secure way. - FLarsen, on 10/11/2007, -0/+1It's for larger files that don't fit in an email. But this is stupid, even if BITS was disabled, they could just include (and they do) a lightweight ftp client and there you go...
- Matri, on 10/11/2007, -0/+1Seriously, it took this guy this long to figure out that BITS can be used to *gasp* download code?
- Shadowhawk109, on 10/11/2007, -5/+6No. The 5 million sold copies of Vista are just an illusion...
A better question:
People are still smug ***** regarding their dislike of a perfectly fine operating system? - wildfire, on 10/11/2007, -0/+1Fair enough... replace [microsoft.com] with the IP(s) of Windows Update.
I was lazy before and just used microsoft.com as a shorthand for a list of IPs, but here they are:
Non-authoritative answer:
Name: update.microsoft.com.nsatc.net
Addresses: 65.55.192.61, 207.46.19.94
Aliases: update.microsoft.com - utcursch, on 10/11/2007, -0/+1Here is the Symantec blog that first raised this issue:
http://www.symantec.com/enterprise/security_response/weblog/2007/05/malware_update_with_windows_up.html - Programous, on 10/11/2007, -0/+1BITS goes though the same firewall that everything else goes though.
Buried as inaccurate - BlackAdderIII, on 10/11/2007, -0/+1Look, this is something to which any update system can be vulnerable.
Now admittedly the whole thing should be OVERT when it's installing executable binaries on your operating system, and it should REQUIRE an explicit root login to do it too, but the bottom line is that if someone's determined to bork their system it's only a matter of time before they meet someone who'll do it for them.
Now on a technical basis, I don't use windows for myself, and the attack vector being leveraged here is the secrecy surrounding updates (which shouldn't exist) and the lack of permissions required to do it.
BUT I see end users on GNU/Linux offering themselves up for a rooting on GNU/Linux all the time. - BlackAdderIII, on 10/11/2007, -0/+1Damned edit timeout. Please edit that last sentence ^ with your brain.
- gnufan, on 10/11/2007, -0/+1Whilst the article maybe slightly misleading the original computer world article (what is it today with Digg linking to articles that link to article...) is informative.
The reason it is interesting to the techies (and possibly to some end users), is that some firewalls police downloads. So that only IE and Firefox can make web requests, only the mail programs can fetch stuff via POP3.
So even if the box is compromised, these layers of defense can stop the malware downloading new versions of itself, or lists of email addresses to spam, or communicating with the authors in other way, which will often stop the abuse. We recently had a laptop put on the network pick up a previously unknown piece of malware - the antivirus programs all missed it, but the firewall stopped its "ping" testing of IP addresses, so it didn't succeed in spreading itself anywhere. I think it is naive to expect every program to be secure, so we need to plan for defense in depth, but I'd have thought spotting the odd program requesting the use of the BITS api, is a more useful generic test, than most others. It is not as if many programs use this service routinely.
By using BITS these firewall protections may be subverted. So, yes there is no compromise in the article, but even after a compromise it is possible ones defenses may still protect you (or others!) by spotting the abuse. All the original article is saying is that the average firewall doesn't spot these types of transfers, so the bad guys are abusing it. As others say, this is one for the firewall people to fix. - Aldo1003, on 10/11/2007, -0/+0the machine does not have to be compromised just the dns server so it points to a mal code update and there you go all machines that update via this dns will get infected code and all be compromised every 20min my machine is going out from svc hosts to an unknown address and i have traced it to windows update. so my machine is infected no av programmes hijackthis mcafee bitdefender whatever can help, am now trying to reinstall all updates but its going out to a non microsoft address and thus i am blocking it. need to know where to get real update from, tried from microsoft site but it gives an error after checking to see which updates i need. have always felt windows update could be a problem and have always turned it off, for some reason when i upgraded to ie 7 i enabled it silly me now look what has happened. never allow automatic updates. now im paranoid about virus updates but thats a whole new story... thanks for reading. this is my first post ever and dont know what prompted it but as a security nut i am dissapointed my machine has been compromised and also in a way I never really believed it would but uptil now always protected against.... never allow auto updates - aldo ronchese
-
Show 51 - 74 of 74 discussions
Check out the new & improved 
© Digg Inc. 2009
— Content created and posted by Digg users is