Microsoft's Windows Update has a component called Background Intelligent Transfer Service (BITS) that downloads updates while you're busy doing other things with your computer. If you get disconnected, the update will pick up where it left off when you get back on the network.Sounds great, right? Well, generally it is. But since BITS is part of your operating system, your firewall doesn't really check to see what it's downloading. And while there is pretty much no risk of automatically downloading a virus or trojan through Windows Update under normal circumstances, hackers are starting to use BITS to download code to computers that have already been affected.
Say you click that file attachment in an email from an unknown source, expecting to see compromising photos of a young starlet. Turns out there's no photo, so you shrug and move on. Next thing you know, you're computer's trying to download all sorts of files to capture your passwords. Normally your firewall would help protect your computer from such attacks, but since BITS can fly under the radar, you may be out of luck.
According to a Symantec researcher there's no way to prevent hackers from using BITS right now, but Microsoft could redesign BITS to require a higher user level in order to work. Or Microsoft could only allow BITS to download files from trusted sources.














Reader Comments (Page 1 of 2)
5-11-2007 @ 12:16PM
brian said...
One reason i didn't upgrade to Vista
*rolls eyes*
Good old Windows XP...
Reply
5-11-2007 @ 12:17PM
Brad Linder said...
Windows XP also uses BITS.
Reply
5-11-2007 @ 12:40PM
Jeffrey McManus said...
This piece is misleading -- it gives people the sense that BITS has a vulnerability when that's not really the case. Putting restrictions on BITS would be a classic example of closing the gate after the cows are out of the barn since it is only meaningful to hackers after the machine has already been compromised. It would make just as much sense to put restrictions on HTTP traffic (i.e., no sense at all).
Reply
5-11-2007 @ 1:16PM
Will said...
Linux. Mac.
Reply
5-11-2007 @ 1:17PM
LeeH said...
"Or Microsoft could only allow BITS to download files from trusted sources." Please don't tell me they implemented this automated service *without* specifying a trusted source?
Oy.
Reply
5-11-2007 @ 1:26PM
Brad Linder said...
Hey, I made it clear in the article that this only affects "computers that have already been affected." I was conscious of the fact that this article could have come off as alarmist. But I honestly couldn't think of a way to convey in a short headline the fact that hackers have found a way to manipulate the service used by Windows Update to download code if and only if they have already managed to infect your computer with a trojan.
Reply
5-11-2007 @ 1:28PM
Andre de Cavaignac said...
BITS is just a download service. Once an attacker has infiltrated a system, there are way more ways he could get around the firewall -- on any system, Linux, Mac, Windows -- it doesn't matter. All it does is download files.
As someone said before, the security venurability is whatever originally infected the system. Want another way to get around the firewall? Write a plugin that runs in-process of a process that already has access (IE, Outlook, Word, FireFox, Trillian -- whatever accepts plugins)....
Reply
5-11-2007 @ 2:26PM
Racetrack-Owner said...
It doesn't come off as alarmist, it comes off as misleading and incorrect. They aren't using "Windows Update" any more than running an MSI to install a trojan would be using "Windows Update" to compromise the machine. The difficulty of coming up with a good headline doesn't justify the misdirection.
How about "Microsoft component used to download malicious code" or "Background Transfer Service used by hackers"? Reasonably descriptive headlines aren't all that difficult to imagine.
Reply
5-11-2007 @ 2:28PM
sean said...
doesn't seem like they would need to use BITS in the first place. If your dumb enough to open an anonymous attachment once you'll probably dumb enough to open one again.
what's the point of this story anyway? People that blindly open attachments don't read these kinds of articles.
Reply
5-11-2007 @ 3:29PM
El Guapo said...
This is nonsense. Once your PC has already been compromised, NOTHING is safe. That's like saying network cards are security problem because "hackers" use them to "download all sorts of files".
This is just downloadsquad once again trying to flame up some rabid anti-MS stir in another misguided attempt to get page views.
Reply
5-11-2007 @ 10:19PM
Sunny said...
heh, they didn't now the BHSZ http://linkyme.com/g2wqek
but they sure did try! lol, nice post.
Reply
5-12-2007 @ 8:31AM
mlw4428 said...
The way to use this exploit is to already have compromised the system. In that case it doesn't matter what OS you have...if a hacker has your system compromised then they can do whatever. For once this isn't really Microsoft's fault...they of course could set it up to download only from trusted sources (but it's not like files can't be patched or anything). A good security policy and downloading only from trusted sources is a pretty good way to keep your computer clear. Shitty security practices isn't the fault of Microsoft, but the fault of the user.
I use Linux (Ubuntu Edgy :D) and the same concept applies there.
Reply
5-12-2007 @ 8:31AM
Mr Owl said...
The Windows firewall never catches BITS, but Zone Alarm does. It asks every time you connect to the internet whether to allow Windows update(don't know about your settings). And who the helss neds an update of Windows??? Its better being disabled.
Reply
5-12-2007 @ 8:31AM
RobotsThink said...
M$ will die of re-working on their OS :)
Reply
5-12-2007 @ 1:40PM
foobar said...
This is bunk, alarmist FUD. Guess what, once an attacker has control over your machine they can do whatever they want without BITS. Let us say an attacker has gotten inside your Mac or Linux box by getting your password and installing a virus manually (I won't even get into the argument of attacking to prevent people from trying to hijack the point). Now that they control your account from a running process, can they download some files over http? Yes, yes they can. Rediculous article.
Reply
5-12-2007 @ 7:31PM
Joel said...
This article needs to be renamed. It's title suggest that Windows Update has been compromised.
The Computer World article is also a little more than a little off. BIT is a documented API that microsoft has made available to programmers. While the use of it to download malicious content is disagreeable doing so doesn't represent any type of hijacking of a Windows component.
Disabling BITS would cause more trouble than good. It would make it difficult for developers with well intent from being able to easily use it for rapid development and would not prevent a hacker from implementing a similar protocol.
Reply
5-12-2007 @ 9:46PM
HakMan said...
Just another avenue of exploitation. No matter what hackers will always find a way in. A necessary evil; without it few issues would get resolved or "patched"
Reply
5-12-2007 @ 11:51PM
franksen beanz said...
If you were able to somehow change the dns entry maybe with a MITM attack, you should be able to make windows download from the wrong source with out ever directly attacking the windows machine. You could do this with ettercap fairly easily. Or, if you can take control of their router (if they use one) and the router is providing dns resolution that would be another way to do it.
Reply
5-12-2007 @ 11:51PM
davenix said...
You need to educate yourself...tard. How about you read a little before posting a doofus opinion based on zero know how.
Douchenozzle.
Reply
5-13-2007 @ 8:05PM
Bryan said...
This is 100% spreading FUD (fear, uncertainty, and doubt). The headline is totally misleading - hackers are most definitely NOT using Windows Update to download malicious code - and the article even says so!
BITS is an auto-resuming, auto-throttling FTP client that is used by Windows Update (and other products) to send files over your network connection in the background - so your regular browsing & email is not impacted. It's a very cool service.
Yes, Hackers can use BITS. But first the Hacker has to have control of your machine. BITS is not a way in.
If a burglar breaks into your house through a window then goes and opens the garage door to back up a truck, we're not all going to get rid of our garage doors! We put bars on the windows, or (as Will recommends) move to another neighborhood where noone will try to break in.
Reply