Windows 7 Update appears to be compromised?

These details of "Important" update, which I received this morning - 4:30 AM MT.  Copied to Notepad:

(appears to be a language pack?  4.3 MB)

______________________________________________________

gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRL

Download size: 4.3 MB

You may need to restart your computer for this update to take effect.

Update type: Important

qQMphgyOoFUxFLfNprOUQpHS

More information: 
https://hckSLpGtvi.PguhWDz.fuVOl.gov
https://jNt.JFnFA.Jigf.xnzMQAFnZ.edu

Help and Support: 
https://IIKaR.ktBDARxd.plepVV.PGetGeG.lfIYQIHCN.mil

________________________________________________________________________

Did NOT install.  After my MSE definitions updated, I repeated Windows Update.  The above 'important' update did not reappear???

Did MS servers get compromised?

Thank you

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Actually the way patches are digitally signed, and it has to match up with a Microsoft cert authority while one never says anything is impossible, one can't inject something into the update without first compromising the entire OS's cert checking process.  And in this case, an attacker would be REALLY stupid to go through all that trouble to compromise the cert checking process and then blow it on the actual attack sequence.

This is true. Unfortunately, that system has indeed already been compromised at least once. http://www.wired.com/2012/06/flame-microsoft-certificate/ 

People can reasonably be concerned and mistrust their computers until they get a clear answer.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

People can reasonably be concerned and mistrust their computers until they get a clear answer.

Agreed.

MS are obliged to say something.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

That's the flame malware I refer to that got on systems with usb flash drives.  It wasn't trivial at all to compromise the system and since then the manner in which they tricked the systems (a TS server that generated bogus Microsoft CA certs) has been removed and there's been a metric boatload of CA /root cert/ WU hardening done in the meantime so that the manner in which that attack occurred then can't be replicated now.

https://social.technet.microsoft.com/Forums/office/en-US/18eeca65-21e1-42df-b882-8c1b099f1a7f/updates-needing-files-2-downloaded-133254-mb-of-133305-mb?forum=winserverwsus

Note that thread.  See the same pattern of the funky server name - the rr1winwusfs04 referred to?  Back in August there was a similar issue where a  "test update for supersedence" was released.  Again my gut is still telling me this is not nefarious.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

People can reasonably be concerned and mistrust their computers until they get a clear answer.

Completely agree and they should. Something like this is extremely concerning. Especially with something that just doesn't look quite right. Something such as Windows Update getting compromised is highly concerning or any indication that it potentially could be. 

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Same here.  Looks to be exact same pieces as well.  On mine, last update I went through was 9/28 when everything was reported as "up to date", which had installed Definition Update for Windows Defender KB915597 (Definition 1.207.973.0)

Today I saw two updates available - Definition Update for Windows Defender KB915597 (Definition 1.207.1296.0) and this Language Pack.  I disabled the language pack and marked it "hidden".

I also ran SuperAntiSpyware and MalwareBytes anti-malware with databases updated this morning and they found nothing.  I'll run Windows Defender and FortiClient next.

gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRL

Download size: 4.3 MB

You may need to restart your computer for this update to take effect.

Update type: Important

qQMphgyOoFUxFLfNprOUQpHS

More information: 
https://hckSLpGtvi.PguhWDz.fuVOl.gov
https://jNt.JFnFA.Jigf.xnzMQAFnZ.edu

Help and Support: 
https://IIKaR.ktBDARxd.plepVV.PGetGeG.lfIYQIHCN.mil

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Don't panic: Microsoft mistakenly posted a 'test' Windows update patch | ZDNet:
http://www.zdnet.com/article/microsoft-accidentally-issued-a-test-windows-update-patch/

A Microsoft spokesperson confirmed Wednesday that it had "incorrectly published a test update" and is in the process of removing it.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

It didn't get compromised. 

Don't panic: Microsoft mistakenly posted a 'test' Windows update patch | ZDNet:
http://www.zdnet.com/article/microsoft-accidentally-issued-a-test-windows-update-patch/

A Microsoft spokesperson confirmed Wednesday that it had "incorrectly published a test update" and is in the process of removing it.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Fun Fact: SuperAntiSpyware is junk.  I worked for the company that makes the software (support.com) and they have a division that provides over the phone PC Support.  That department is not allowed to use SuperAntiSpyware..  Their main antimalware is MalwareBytes 1.75...  I wouldn't recommend using a product that the parent company doesn't even put faith into. 

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

This is true. Unfortunately, that system has indeed already been compromised at least once. http://www.wired.com/2012/06/flame-microsoft-certificate/ 

That's an inaccurate statement. Microsoft Update was not compromised; Flame used a man-in-the-middle attack and a bogus certificate.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Technically, if you wanted to insert malicious software into an update that is signed, one way do it might be to find a nonsense piece of text that - when hashed - appears to match an existing hash from other contents.

That's the reason MD5 is useless now - you can pad almost any data to make it have almost any MD5 that you like if you spend enough time.


But, I have to admit, it sounds more like corruption, junk, internal testing, a mistake, etc. than anything else.  But WE cannot be sure.  Only MS can provide that answer.  It wouldn't be unusual for a false-Microsoft-cert to be signed by some high-up certificate authority "for testing" which leaks out and allows someone to generate a valid, signed update with whatever they wanted in it.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
 

Question Info


Last updated July 16, 2019 Views 64,962 Applies to: