I heard that hackers can make you download their malicious software by telling you that they are an update of the operating system through Windows Update. Is it true? If yes, how can I protect myself?


Solution 1:

It is nearly impossible for an ordinary hacker to send you something through the Windows Update system.

What you heard is different though. It's spyware that looks like it's Windows Update and tells you to install it. If you then click install a UAC prompt pops up asking for administrative privileges. If you accept that, it can install spyware. Do note that Windows Update will NEVER require you to pass an UAC elevation test. This is not required as the Windows Update service runs as SYSTEM, which has the highest privileges. The only prompt you'll get during Windows Update installations, is approving a license agreement.

EDIT: made changes to the post because the government may be able to pull this off, but I doubt as a normal citizen, you can protect against the government anyway.

Solution 2:

Yes, it's true.

The Flame malware attacked user via flaw in the Windows updating process. It's creators found a security hole in the Windows updating system that allowed them to fool victims into thinking that their patch with contains malware is an authentic windows update.

What could the targets of the malware do to defend themselves? Not much. Flame went years being undetected.

However Microsoft now patched the security hole that allowed Flame to hide itself as a Windows update. That means hackers have either to find a new security hole, bribe Microsoft to give them the ability to sign updates or simply steal the signing key from microsoft.

An attacker additionally has to be in a position in the network to run a man-in-the-middle attack.

That means in practice this is only an issue that you have to worry about if you think about defending against nation state attackers like the NSA.