That would never happen. A network tap would be able to detect a malicious update even if the main PC was implanted very well, and a Microsoft-signed malicious update would be worldwide news.
Please correct me if I am wrong, but I don't think there has ever been a single instance of this actually occurring, only "this could possibly happen" theories. I am definitely interested to hear more if this is not the case.
> That would never happen. A network tap would be able to detect a malicious update even if the main PC was implanted very well, and a Microsoft-signed malicious update would be worldwide news.
While I don't know of that specific scenario, Stuxnet used a hardware vendor's key to install infected drivers[1]. There was also a Chinese registrar that allowed a customer to man-in-the-middle Google[2]. Depending on how Windows organizes their driver updates, I could see an adversary doing a man-in-the-middle between Microsoft and their target, and pushing a bad driver update.
I will concede that phrasing may be poor, better way to put it is that "forced updates + NSL" would result in detection and a media firestorm, giving absolutely no benefit and obliteration of any trust in Microsoft.
It's extremely risky to put out a mass update, yes. But if it were a targeted attack against an individual, the risk is greatly reduced, especially if that individual won't think twice about it.
> It's extremely risky to put out a mass update, yes. But if it were a targeted attack against an individual, the risk is greatly reduced, especially if that individual won't think twice about it.
At that point, you'd have to hope the target would not check the hashes of update files. If detected, then there is the same issue: A signed malicious update being detected (and easily verified cryptographically if given to a reporter) would cause a catastrophic media firestorm, eroding trust in the vendor forever.
A signed malicious update would be a Big Deal(tm), but the entity would also be able to survive it by claiming it was negligence. I don't believe negligence has not been significantly penalized in the marketplace, aside from perhaps CAs where damage can be limited (prevent new certs from being seen as valid, plenty of other options for sites). There's no such option available for penalizing Microsoft, and their lock-in is significant enough to limit nuclear options for doing so.
"We've revoked the signing key that was hacked by blah blah we have the utmost regard for security and adhered to best practices" and everyone would probably gloss over it for one instance.
What are the alternatives once an event occurs and Google/Microsoft/Redhat/?? claim it was an accident outside of their control (possibly due to negligence)? Yes, outside experts will be investigating to the best of their ability and there will be a statement about what measures have been put in place to mitigate the issue in the future. But what else would happen?
@willlstrafach,
Nothing you have said convinces me the commentator you are replying to is wrong. Especially since an NSL would prevent ANYONE who detected anything from speaking about it. Updates that tweak code to introduce vulnerabilities, is not something thats science fiction.
> Especially since an NSL would prevent ANYONE who detected anything from speaking about it
Forced malicious updates would indeed be a reasonable concern if this was somehow actually the case. It is not, though, and I am not sure how that would even work. Are you saying that when it is detected, the government would somehow become aware of the detection and threaten the finder with an NSL before they could tell anyone?
Just because YOU cant figure out how it works, does not mean its not possible my friend.
But I will say, that when you have a backdoor, and suddenly that backdoor stop providing intel/data/whatever, its usually a good indicator.
1. That screenshot clearly shows the certificate is being treated as not valid. I assume it is being shared for IOC purposes.
2. I am referring to a software update, in the context of revmoo's "forced updates + NSL" comment.
> Pre-Snowden a lot of things had been considered "could possibly happen" tinfoil hat theories, turned out a lot of them had not been mere theories.
I could believe that is the case for those outside of the information security community, but nothing novel/tinfoil-hat-worthy was in the leaks, just confirmations of predictable sources/methods used for intelligence gathering and CNE work. Forcing a company to issue a blessed update containing malicious code is very different, and again, I am very interested to hear of any proof of such a thing occurring without detection (It doesn't seem possible for that to happen without it being detected and being discussed very loudly).
Please correct me if I am wrong, but I don't think there has ever been a single instance of this actually occurring, only "this could possibly happen" theories. I am definitely interested to hear more if this is not the case.