January 8th, 2021 8:41 am

SolarWinds, Solorigate, and what it means for Windows updates: Why Anti-virus and Anti-Malware Software is Vital

Following the recent hack on Solar Winds that affected millions, check out this article recently posted on Computer World, by Susan Bradley:

Microsoft recently announced that its Windows source code had been viewed by the SolarWinds attackers. (Normally, only key government customers and trusted partners would have this level of access to the “stuff” of which Windows is made.) The attackers were able to read – but not change – the software secret sauce, raising questions and concerns among Microsoft customers. Did it mean, perhaps, that attackers could inject backdoor processes into Microsoft’s updating processes

First, a bit of background on the SolarWinds attack, also called Solorigate: An attacker got into a remote management/monitoring tool company and was able to inject itself into the development process and build a backdoor. When the software was updated through the normal updating processes set up by SolarWinds, the backdoored software was deployed into customer systems — including numerous US government agencies. The attacker was then able to silently spy on several activities across these customers. 

One of the attacker’s techniques was to forge tokens for authentication so that the domain system thought it was getting legit user credentials when, in fact, the credentials were faked. Security Assertion Markup Language (SAML) is regularly used to transfer credentials securely between systems. And while this single sign-on process can provide additional security to applications, as showcased here, it can allow attackers to gain access to a system. The attack process, called a “Golden SAML” attack vector “involves the attackers first gaining administrative access to an organization’s Active Directory Federation Services (ADFS) server and stealing the necessary private key and signing certificate.” That allowed for continuous access to this credential until the ADFS private key was invalidated and replaced.

Currently it’s known that the attackers were in the updated software between March and June 2020, though there are signs from various organizations that they may have been quietly attacking sites as long ago as October 2019. 

Microsoft investigated further and found that while the attackers were not able to inject themselves into Microsoft’s ADFS/SAML infrastructure, “one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made.”  This is not the first time Microsoft’s source code has been attacked or leaked to the web. In 2004, 30,000 files from Windows NT to Windows 2000 leaked onto the web via a third party.  Windows XP reportedly leaked online last year.

While it would be imprudent to authoritatively state that the Microsoft update process can never have a backdoor in it, I continue to trust the Microsoft updating process itself — even if I don’t trust the company’s patches the moment they come out. The Microsoft updating process depends on code-signing certificates that have to match up or the system will not install the update. Even when you use the distributed patch process in Windows 10 called Delivery optimization, the system will get bits and pieces of a patch from other computers on your network – or even other computers outside of your network – and recompile the entire patch by matching up the signatures. This process ensures that you can get updates from anywhere — not necessarily from Microsoft — and your computer will check to make sure the patch is valid. 

There have been times when this process has been intercepted. In 2012, the Flame malware used a stolen code-signing certificate to make it look as if it came from Microsoft to trick systems into allowing malicious code to be installed. But Microsoft revoked that certificate and increased the security of the code-signing process to ensure that the attack vector would be shut down.

Microsoft’s policy is to assume that its source code and network is already compromised and thus it has an “assume breach” philosophy. So when we get security updates, we don’t just receive fixes for what we know; I often see vague references to additional hardening and security features that help users going forward. Take, for example, KB4592438. Released for 20H2 in December, it included a vague reference to updates to improve security when using Microsoft Edge Legacy and Microsoft Office products. While most of each month’s security updates specifically fix a declared vulnerability, there are also parts that instead make it harder for attackers to use known techniques for nefarious ends.


Did you like this article? Share it with your friends!