Security researchers have warned that malicious insiders could take advantage of a previously overlooked issue in Windows Update to compromise their entire corporate network in one go.
London-based Context Information Security said in new research that the problem boils down to a configuration problem.
The default install for Windows Server Update Services uses HTTP rather than the more secure SSL-encrypted HTTPS. This means that an insider with low privilege access rights could install fake updates automatically.
These could download info-stealing malware or even be used to set up a privileged account to wreak more havoc on the corporate network.
Principal consultant Paul Stone told Infosecurity by email that the issue is wide reaching.
“It's not really a flaw in Windows client machines - i.e. the machines fetching updates from WSUS,” he explained. “It's a problem with how the WSUS server is configured. So any version of Windows can be affected if it's not using SSL to connect WSUS, including Windows 10.”
However, it is easily resolved, by switching on HTTPS. Firms can check if they are exposed by looking at WSUS group policy settings, or at the registry keys for individual machines, Context explained.
The same research also raises concerns over security vulnerabilities introduced into Windows by some of the thousands of third party USB drivers available for download.
“Everyone is familiar with the 'searching for Drivers' and ‘Windows Update’ dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats,” said Stone.
According to PwC’s 2015 Information Security Breaches Survey, some 10% of responding organisations claimed that a breach of their systems was caused by malicious insiders, compared to 26% who put the breach down to an accident by staff or contractors.
However, the insider threat remains one of the most difficult to guard against. It was highlighted again last week when Clearswift found that a quarter of employees would happily risk a criminal record and dismissal by selling sensitive corporate data for just £5,000.