Wsus server not updating itself
Any Windows computer that fetches updates from a WSUS server using a non-HTTPS URL is vulnerable.
“It's a simple case of a common configuration problem,” said Paul Stone, principal consultant at Context.
“Signing the tags that contain the main detail of the updates with a Microsoft certificate would avoid the necessity of setting up a trust relationship between the client and WSUS server.” The researchers also said there were security risks around third-party drivers installed via Windows update.
There are more than 25,000 potential USB drivers that can be downloaded – although this list includes many duplicates, generic drivers and obsolete versions.
But for those that don't it presents an opportunity for an administrator to compromise complete corporate networks in one go.” The hack was demonstrated at the Black Hat security conference in Las Vegas.
“We have started to download and investigate some 2,284 third-party drivers,” said Stone.
“Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes.
I do have administrator account for local computer.
The reason MS doesn't allow both is because that defeats the whole purpose of a WSUS server on a domain.
“Let's makes something crystal clear – there's no excuse for this one, it's all down to correct configuration,” said Hanna.