Following a groundbreaking cryptographic attack that hijacked the platform Microsoft uses to deliver updates to millions of large customers, the company has issued changes designed to prevent similar exploits from working again.
The company's Windows Server Update Services, which businesses and organizations use to deliver patches to large fleets of PCs, will no longer work through network proxies that use SSL deep packet content inspection, Microsoft representatives said in an advisory published Friday afternoon. Such proxies act as man-in-the-middle devices that can peek inside encrypted traffic as it travels from a local network onto the Internet. Enterprises that have inspection servers in place will have to create exception rules so all Windows Update traffic is bypassed.
The changes are designed to blunt the kind of attacks carried out by Flame, the sophisticated espionage software that infected PCs in Iran and other Middle Eastern countries. As revealed earlier this week, the malware hijacked the Windows Update process to spread from machine to machine within a local network. By hacking a Microsoft licensing service to sign malware stored on one infected computer, Flame could disguise the malicious payload as a Windows update that should be installed by other computers on the same network.
Microsoft has also provided cryptographic hashes that will accompany all future Windows Updates. It is signed with a private key that only Microsoft possesses, making it infeasible for attackers to include the same certification