1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Windows 10 to get peer-to-peer patching

Discussion in 'Article Discussion' started by Gareth Halfacree, 16 Mar 2015.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,572
    Likes Received:
    1,902
  2. Madness_3d

    Madness_3d Bit-Tech/Asus OC Winner

    Joined:
    26 Apr 2009
    Posts:
    1,038
    Likes Received:
    34
    Security? Surely a would be hacker could just create an exploit and then get other Win 10 machines to share it and then stop themselves receiving further updates? MS then have to spread out a competing update through whats left of the network to avoid it spreading further. At which point the hacker owns the machines he hit. I'm sure people will say it can't be done, but this is MS's competency vs all those who are keen to exploit Windows.
     
  3. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,572
    Likes Received:
    1,902
    The updates will be digitally signed - just like the current updates are. A client attempts to distribute a modified patch, the signature is no longer valid, boom: modification rejected. A P2P distribution system is no more vulnerable to this kind of injection than a traditional web-based distribution system (which, without digital signing, would be vulnerable to a man-in-the-middle attack.)
     
  4. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,163
    Likes Received:
    141
    I dunno. Doesn't peer to peer reduce the complexity of such an attack by removing the man in the middle component. So if someone discovers a zero day on the distribution system. They can develop the attack then sit back and wait.With no need to specifically target someone.
     
  5. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,572
    Likes Received:
    1,902
    I disagree, for a couple of reasons.

    The first reason I've already explained: the updates are digitally signed. There are two ways to break that: one is to steal the private key from Microsoft, which should be impossible if they're doing their jobs rights; the other is to have more computing power than god and spend from now until the heat-death of the universe factoring large prime numbers. (Of course, there is a third way: trick a client system into trusting your certificate as valid, a la Superfish. You'd need to do that before distributing your malicious update, though, and if you've got that kind of access to the target system why would you bother distributing a malicious update through official channels in the first place?)

    The second reason is that P2P is surprisingly robust. To distribute a malicious update through a traditional web-based system, like Windows Update is now and assuming you've got around reason one above, you'd need to either hack the website (everyone gets your malicious update) or sit between your target and the real website (only your targets get your updates.) A P2P system works by splitting a file into numerous little chunks and downloading each chunk from a different source (I'm simplifying here, I know, but bear with me.) If I wanted to inject a malicious update into an existing P2P torrent ('torrent' here being used to describe any P2P file transfer, not just a BitTorrent connection) then I'm in trouble: even if I replace the entire genuine update with my malicious version locally, remote clients will only download bits of my malicious update while getting bits of the genuine update elsewhere. At best, all I've done is corrupt the update - and once that corruption has been detected will have my client banned from the P2P network as a result.

    Could an attacker discover a zero-day vulnerability in the P2P distribution system and the digital signing system and push their own update that registers as valid? Sure, that's theoretically possible. They could also discover a zero-day vulnerability in the web-based distribution system and the digital signing system and push their own update to that which registers as valid. A move to P2P shouldn't reduce the security of the system one iota, and if properly implemented could even improve the security by removing the single point of failure Windows Update currently has.

    That's my take on things, anyway. I think it's a great idea, and one I wouldn't mind seeing other operating system stealing.

    EDIT: Oh, and as the story points out: you can limit it to sharing updates with machines only on your local network, which does away with security concerns (valid or otherwise) altogether. Imagine: next time there's a 3GB patch, you only need to wait for it to download once and then it magically appears on all your systems near-simultaneously. Bliss!
     
  6. Mr_Mistoffelees

    Mr_Mistoffelees The Lunatic on the Grass.

    Joined:
    26 Aug 2014
    Posts:
    1,877
    Likes Received:
    380
    .
     
    Last edited: 16 Mar 2015
  7. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,302
    Likes Received:
    321
    Not only what Gareth said but doesn't all P2P depend on creating a hash for each file being distributed, if the file is modified the hash's no longer match.
     
  8. RedFlames

    RedFlames ...is not a Belgian football team

    Joined:
    23 Apr 2009
    Posts:
    11,371
    Likes Received:
    1,399
    Firstly the p2p update can be turned off, so if there is an issue or you're a bit tinfoil hat you can just disable it...

    And as Gareth points out [and as I've said elsewhere on the forum] - this is good for households/offices with multiple PCs, download one copy of the update and p2p it to the rest... WSUS without the hassle [or expense]...
     
  9. Atomic

    Atomic Gerwaff

    Joined:
    6 May 2002
    Posts:
    9,646
    Likes Received:
    94
    This will likely make use of Microsoft's existing BranchCache technology as this does local P2P distribution of content retrieved from an upstream source.

    In a simplified form BC works like this:

    1. The BranchCache Content Server (BCS) breaks content into blocks with unique hashes for each block.
    2. A BranchCache client requests content from the BCS. The BCS responds with a list of blocks and hashes.
    3. The client queries local peers for any of the blocks.
    4. If the blocks are found on the local subnet, they are retrieved from peers.
    5. If the any block is not available from a peer, it is retrieved from the BCS. Once retrieved, it is made available to peers.

    The only difference to the current system is that only one client (initially) gets the update from the internet and subsequent clients share that data locally.

    Security wise it's no different to the existing method, as the client has to assemble the update from the blocks it receives and then performs the same verification of the update signing that it always has.
     
  10. Madness_3d

    Madness_3d Bit-Tech/Asus OC Winner

    Joined:
    26 Apr 2009
    Posts:
    1,038
    Likes Received:
    34
    I agree with the above and it will definitely be a godsend in the LAN use case.

    On the security case, I wasn't referring so much to modifying an existing update, as you say P2P would make that effectively impossible, but more about releasing a standalone malicious update.

    You're right that the Digital signing issue is shared by both approaches, but my concern was that should you bypass it somehow, either you steal it from MS or discover that key 0 always evals to true etc, you can now begin to spread that malicious update from any machine in the world.

    In the current setup you'd have to compromise the Windows Update servers, or redirect the DNS to you're own, which given my thought process above wouldn't have been an issue in the P2P setup.

    Having read other comments though it seems like that's been well taken care of. Forgive me for being overly sceptical of Microsoft's Security efforts whenever something new is announced :p
     
  11. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    12,572
    Likes Received:
    1,902
    No, you can't. Well, to rephrase, you shouldn't be able to. Peer-to-peer networks are rarely completely decentralised: most rely on a 'tracker' which keeps, well, track of what systems claim to have what portions of the file. So, Microsoft releases BigFix01 for Windows 10 and creates an entry on the Windows Update tracker; the client systems contact the tracker, get pointed towards their nearest peers with portions of the file, and the download progresses. You also need to know there's a file available in the first place: for naughtywarez that'd be through The Pirate Bay or similar; for Windows Peer-to-Peer Updates, that'd be through a Microsoft webserver hosting a list of available patches for a given version of Windows.

    Now, Mr. Naughtyguy creates BadFix01 and - through some hand-waving magic - signs it as valid using Microsoft's private key. He still needs to create an entry on the Windows Update list and associated tracker that says "Hey, clients, here's a real and not at all malicious update that's totally from Microsoft no I mean honest really" in order for it to be distributed to the clients. This should be as impossible as Mr. Naughtyguy creating an entry on the Windows Update website to distribute the self-same BadFix01 malware.

    Put it this way: any credible attack which would work against a properly implemented P2P patch distribution system would also work against the system we have now.
     
  12. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,163
    Likes Received:
    141
    When it comes to cryptographic things:
    [​IMG]
    Generally coming in the front door is not the best approach.

    Your point about the fragmented file is more compelling really, that is assuming that an attacker can't place malicious code within a file fragment. It also assumes that it is the file that would be manipulated and not the distribution mechanism or peer network. Maybe its impossible, I don't have the knowledge to determine that one way or another.

    I'd probably turn it off as it doesn't offer a compelling reason to keep it on. I've never found the need to have faster updates. Which are frankly a pain in the arse. Necessary. But still a pain in the arse.
    I'd be ok with updates coming at 10th whatever speed the currently do. I just let the quitely down load in the background and trigger the install whenever they are ready. This feature only really benefits Microsoft.
     
    Last edited: 16 Mar 2015
  13. mi1ez

    mi1ez Active Member

    Joined:
    11 Jun 2009
    Posts:
    1,437
    Likes Received:
    18
    This. This is what I'm looking forward to!
     
  14. wolfticket

    wolfticket Downwind from the bloodhounds

    Joined:
    19 Apr 2008
    Posts:
    2,899
    Likes Received:
    215
    Screw security concerns: If Microsoft think I'm going to let them leach some of my precious pitiful ADSL upload speed so some smug git with 160Meg cable can update a few seconds quicker (and they can in turn save money on bandwidth), they can think again :)

    I like the idea of sharing updates over LAN though.
     
  15. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,302
    Likes Received:
    321
    I know what you posted was meant in jest but i can't fight the urge. :duh:

    As they can't drug and beat the passwords out of the whole country there still aiming to get around that annoying cryptographic thing, everyone can sleep well at night though as TPB that provide oversight don't understand the technical details of what there doing so they just let them.

    So it amounts to we don't understand what there doing so we just trust that there doing the right thing. :jawdrop:
     

Share This Page