UPDATED: Tens of millions of Microsoft users get their security updates from the
Microsoft Update service. But a researcher at security firm Symantec (Quote) is alleging that users could potentially get something more
than they bargained for.
A Symantec researcher said that Microsoft Update, which includes a
component called Background Intelligent Transfer Service (BITS), could
potentially be used by hackers to bypass security measures and attack users’
PCs. BITS runs in the background on a Windows PC as an asynchronous download
service for patch updates.
A Microsoft spokesperson confirmed to internetnews.com that Microsoft
is aware of public reports that BITS is being used by TrojanDownloader:Win32/Jowspry to bypass
policy-based firewalls in order to install additional malware.
According to Microsoft, the bypass relies on TrojanDownloader:Win32/Jowspry
already being present on the system; it is not an attack vector for initial
infection. The bypass most commonly occurs after a successful social-engineering attempt lures the user into inadvertently running
TrojanDownloader:Win32/Jowspry, which then utilizes BITS to download
Microsoft recommends that any users who believe they are affected by
TrojanDownloader:Win32/Jowspry visit Windows Live OneCare safety scanner to scan their systems, determine if they are
infected, and clean all currently known variants of this Trojan.
Using BITS to download malicious files is a clever trick because it
bypasses local firewalls, as the download is performed by Windows itself,
and does not require suspicious actions for process injection, Symantec
researcher Elia Florio wrote on the Symantec Security Response blog.
According to Florio, there is no workaround for a BITS-based attack and it is difficult to manage what should not be downloaded by BITS.
“Probably the BITS interface should be designed to be accessible only with a
higher level of privilege, or the download jobs created with BITS should be
restricted to only trusted URLs,” Florio wrote.
Though the Symantec researcher is now bringing this issue to light,
Florio said the hack community has been aware of the potential risk of BITS since it was cited as an “antifirewall loader” technique on a Russian forum at the end of 2006.
Florio’s allegation comes as Microsoft wraps up its fifth Blue Hat Security
conference. Blue Hat is Microsoft’s closed-door security conference
where the company invites security researchers up to its campus to discuss
the latest bleeding-edge security research.
According to Microsoft’s Blue
Hat Security blog, Blue Hat v5 included a number of presentations about
mobile and Web application hacking, as well as a session on how a security
researcher, “cracked the Xbox 360.”
Earlier this week Microsoft issued its monthly patch update fixing vulnerabilities in Microsoft Office,
Internet Explorer and Exchange.