Windows 7 Update appears to be compromised?

This links to a Microsoft support thread in which several users are reporting a suspicious update distributed through Windows Update. In lieu of a title and description, the update has 108-character and 24-character base52-encoded random numbers. In lieu of &quot;more information&quot; and &quot;help and support&quot; links, it has similarly random base52-encoded domains, which currently do not resolve, in .gov, .edu and .mil. Searching for the patch title turns up a bunch of people asking about the same suspicious patch on other sites, all within the past day. The update is attracting attention because it fails to install.<p><a href="http:&#x2F;&#x2F;security.stackexchange.com&#x2F;questions&#x2F;101520&#x2F;weird-windows-update" rel="nofollow">http:&#x2F;&#x2F;security.stackexchange.com&#x2F;questions&#x2F;101520&#x2F;weird-win...</a> <a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;techsupport&#x2F;comments&#x2F;3mykv1&#x2F;weird_windows_update&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;techsupport&#x2F;comments&#x2F;3mykv1&#x2F;weird_w...</a><p>This does strongly suggest a compromise of the Windows Update servers or of some bit of infrastructure that connects people to them, but also suggests that whoever the attackers are, they made a mistake - a successful compromise executed correctly would not leave so much evidence around. It&#x27;s quite possible that they&#x27;ve been compromised for awhile, and this is a buggy update to the existing malware.

Confirmed that it was a test update: <a href="http:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;microsoft-accidentally-issued-a-test-windows-update-patch&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;microsoft-accidentally-issued-a...</a>

Don&#x27;t panic, it was just a boo-boo:<p><a href="http:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;microsoft-accidentally-issued-a-test-windows-update-patch&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;microsoft-accidentally-issued-a...</a>

If someone has managed to compromise Windows Update (which I doubt seriously based on what&#x27;s presented here), why on Earth would they not bother to come up with text more convincing than the garbage on display here?

There is a chance that the machines affected were already compromised by malware which altered the way Windows Update was working.

Does anyone have a copy of the 4.3MB file that this refers to? If so, please: (1) submit it to VirusTotal, and (2) post it here.

I&#x27;ve been deploying Microsoft based computer networks for 18 years... this would nearly top my nightmare list! I can&#x27;t imagine what the alert level is at MS offices right now, but I bet they are expending every effort to get to the bottom of this ASAP :&#x2F;

<a href="http:&#x2F;&#x2F;arstechnica.com&#x2F;security&#x2F;2015&#x2F;09&#x2F;nerves-rattled-by-highly-suspicious-windows-update-delivered-worldwide&#x2F;" rel="nofollow">http:&#x2F;&#x2F;arstechnica.com&#x2F;security&#x2F;2015&#x2F;09&#x2F;nerves-rattled-by-hi...</a>

Just to state the obvious, .gov, .edu, and .mil are all restricted TLDs run by the US. What kind of attacker uses domain names in their attack that they can&#x27;t register?<p>Unless, of course...<p>But that would be a wee bit obvious.

This is probably just a test update that went out by mistake.<p>If MSFT is anything like where I work, that &quot;payload&quot; is a picture of a cat.

Looks more like an internal flub: &quot;&#x2F;&#x2F;⁠rr1winwusfs04&#x2F;⁠c&#x2F;⁠msdownload&#x2F;⁠update&#x2F;⁠software&#x2F;⁠defu&#x2F;⁠2015&#x2F;⁠09&#x2F;⁠testexe_896e3a62-⁠8954-⁠447b-⁠5a562bd65cc6_d5e430cb05ee8a627ee6d811da8d7c4ccea57f4b.exe&quot;<p>That being said, that something like this could happen should raise lots of questions about the amount of oversight on updates hitting windows, and the general security of such systems. I&#x27;ll wait for an official response or a reverse engineer before I decide what&#x27;s going on here.

I&#x27;d be surprised if an attacker would waste a compromise with something obvious. Perhaps it&#x27;s some testing thing that wasn&#x27;t supposed to go out.

Where&#x27;s Microsoft on this? This is on two news outlets as well as HN. Microsoft PR needs to issue a statement in the next hour or two, even one that just says they&#x27;re investigating the issue, or it will be on the evening TV news.

Could it be a man in the middle that tries to install updates that aren&#x27;t signed by Microsoft? It reminds me of this: <a href="http:&#x2F;&#x2F;www.leviathansecurity.com&#x2F;blog&#x2F;the-case-of-the-modified-binaries&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.leviathansecurity.com&#x2F;blog&#x2F;the-case-of-the-modifi...</a> .

Not seeing anything on my Win7Pro SP1 VM - last update was 4.3MB VC++ 2008 Security fix - MFC applications being vulnerable to DLL planting due to MFC not specifying the full path to system&#x2F;localization DLLs.

I haven&#x27;t seen any randomly-named updates on my system - but I had earlier ripped out all the telemetry and Windows 10-related crap (KB2952664, KB3021917, KB3035583, KB3068708, KB3075249, and KB3080149) and marked them hidden. I&#x27;ve also set my update policy to notify-only.<p>Now the spy updates are not hidden, and marked as &quot;Important.&quot; They&#x27;re bound and determined to force this crap down our throats. Bastards.<p>&quot;Because f*ck you, that&#x27;s why.&quot; The rallying cry of the corporate world.

Can anyone shed some light on this?

Too many &quot;tests&quot; this month, I&#x27;d say. Test cert, test update... Let&#x27;s hope something worse like &quot;test nuclear strike&quot; won&#x27;t follow.

And the same company doesn&#x27;t allow the users of the Windows 10 Home to review the updates, instead, the Windows 10 Home updates always download and install.

Could it be that older versions of windows (2k3 for example) might allow this update to be installed? Has anyone tested this in a sandbox?

Microsoft sending spyware again?

I&#x27;m worried about friends, family, and small businesses that run Windows with install updates set to automated mode...<p>Shouldn&#x27;t Microsoft be signing updates so that redirection attacks don&#x27;t work?<p>Edit:<p>Elaborating on my question; I mean much more like Linux distributions which sign both packages (updates) and the index of those files. Some distributions use multiple hashs&#x2F;digests to make collision attacks far less likely to succeed.<p>Such an attack could be either the traffic at layer 3 redirected via router compromise, via some name resolution weakness (possibly even to localhost as a way of malware upgrading from being able to edit the hosts file to having system level services).<p>The signing of both the update files and the list of updates could offer protection from an attack that would thus need to be valid for all of the signature checks, not just a single check.