Biz & IT —

Nerves rattled by highly suspicious Windows Update delivered worldwide [Updated]

Strange payload raised concerns that Windows Update has been hacked.

Nerves rattled by highly suspicious Windows Update delivered worldwide [Updated]

Microsoft said a highly suspicious Windows update that was delivered to customers around the world was the result of a test that wasn't correctly implemented.

"We incorrectly published a test update and are in the process of removing it," a Microsoft spokesperson wrote in an e-mail to Ars. The message included no other information.

The explanation came more than 12 hours after people around the world began receiving the software bulletin through the official Windows Update, raising widespread speculation that Microsoft's automatic patching mechanism was broken or, worse, had been compromised to attack end users. Fortunately, now that Microsoft has finally weighed in, that worst-case scenario can be ruled out. What follows is the remainder of this post as it appeared before the company issued its explanation.

This Web search, which queries the random-appearing string included in the payload, suggests that it's being delivered to people in multiple regions. The same unexplained and almost certainly unauthorized patch is being reported in a variety of online posts, including this one hosted by Microsoft. The updates appear to be coming directly from servers that are cryptographically certified to be part of Microsoft's Windows Update system.

"Clearly there's something that's delivered into the [Windows Update] queue that's trusted," Kenneth White, a Washington DC-based security researcher, told Ars after contacting some of the Windows users who received the suspicious update. "For someone to compromise the Windows Update server, that's a pretty serious vector. I don't raise the alarm very often but this has just enough characteristics of something pretty serious that I think it's worth looking at."

White is still trying to obtain a copy of the binary file that gets delivered to people receiving the update. He plans to run it in a restricted environment to see exactly how it gets delivered and what it does once it's installed. One person reported that the update won't download. White said for those who can get the download to work, the payload should be located at c:\windows\msdownload\update\software\defu\2015\09\testexe_xxxxxxx.exe (where xxxxxxx is the random-appearing characters found in the update bulletin. A Microsoft spokesman said company officials are investigating the reports.

One user has reported installing the update and finding that it rendered the computer largely inoperable.

"My laptop was screwed after the update," the user, ByGodZombie, reported in a comment to this post. "Windows explorer crashes VERY frequently now and most of my programs stopped working even in admin mode. System restore didn't work and I don't have the information I need for a reinstall. Basically whatever it was killed my system and compromised my gear so I wouldn't want to look up anything sensitive to personal data on your machine."

Assuming the worst, that Windows Update has been compromised, it wouldn't be the first time. The Flame malware reportedly developed by the US and Israel to spy on Iran hijacked Windows update so it could spread from one PC to another inside infected local networks. Earlier this year, researchers demonstrated an attack on the Windows Update servers used by large organizations to patch large fleets of computers they operate.

It's still extremely early in the investigation into this unusual behavior. So far, all the accounts viewed by Ars report the update being delivered to computers running Windows 7. That may or may not mean the patch is limited to that version. The explanations run the gamut from a bug to a malicious attack that has compromised one of the world's most widely used software update mechanisms. For the moment, readers who receive this update should not install it unless they are highly experienced computer users and researchers. This post will be updated as new information becomes available.

Post updated throughout to report explanation issued by Microsoft that the suspicious payload was the result of a test update.

Listing image by Robert Scoble / Flickr

Channel Ars Technica