![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Your Windows Update system can be compromised
Not pleasant news.
"At least one program is in circulation that can hijack a key component of Windows Update to introduce malicious software that could be used to hijack a computer.
The method bypasses users' firewall, allowing files to download undetected.
Microsoft said it was aware of reports of the attack."
Now, for this to work, you must first have fallen for a social engineering attack and downloaded a program that has infected your computer and thus compromised the Windows BITS subsystem that is used by the Windows Update process. As one expert pointed out, at that point, the fact that your Update system has been compromised is irrelevent because you've already allowed your computer to be compromised.
My suggestion, regardless of this hack, is to have your update settings configured to download the updates but to not install them until you tell it to.
http://news.bbc.co.uk/2/hi/technology/6657677.stm
(yes, I said I'd try not to dupe posts to my other blog, but I think this is important enough to merit duping.)
"At least one program is in circulation that can hijack a key component of Windows Update to introduce malicious software that could be used to hijack a computer.
The method bypasses users' firewall, allowing files to download undetected.
Microsoft said it was aware of reports of the attack."
Now, for this to work, you must first have fallen for a social engineering attack and downloaded a program that has infected your computer and thus compromised the Windows BITS subsystem that is used by the Windows Update process. As one expert pointed out, at that point, the fact that your Update system has been compromised is irrelevent because you've already allowed your computer to be compromised.
My suggestion, regardless of this hack, is to have your update settings configured to download the updates but to not install them until you tell it to.
http://news.bbc.co.uk/2/hi/technology/6657677.stm
(yes, I said I'd try not to dupe posts to my other blog, but I think this is important enough to merit duping.)
no subject
I don't even have my notification set for as much as you suggest - I just have my computer tell me when there's updates, and then I choose what to download and install. It's an extra step, but it makes my paranoia rest a little easier. And it helps to know that Microsoft generally only offers updates on the second Tuesday of the month: http://www.microsoft.com/protect/computer/updates/bulletins/default.mspx