WUDO or WUDON’T

A few weeks ago, as part of a GAP analysis for an upcoming PCI (Payment Card Industry) compliance audit, I was examining all of the network traffic passing between the client’s PCI network (in scope), and the regular corporate network (not in scope).  This gets a little wonky, but let me take a moment to provide a little background.  This particular client processes a huge volume of credit card transactions, so they are required by their card processing company to pass an annual compliance audit.  Because card processing systems are typically connected in some way to other parts of the corporate IT infrastructure, establishing what part of the infrastructure that is “in scope” is very important, as only the “in scope” part of the infrastructure is audited.  We do this type of work fairly often for our clients, as it falls well within our expertise from an IT perspective, and often we are managing both the PCI and corporate networks.

So, back to what I discovered.  We examine network traffic passing between the card processing network and the corporate network to confirm that access has been restricted.  The idea is that if the corporate network is breached in some way, the hackers cannot get to PCI data.  During this process, I discovered some network traffic between Windows 10 workstations that I could not readily explain.  After digging a little deeper, I discovered a “feature” in Windows 10 that I was not aware of, something I was not happy about.  Baked into Windows is a new technology Microsoft dubbed “Windows Update Delivery Optimization” (WUDO) that is turned on by default for all editions of Windows 10.  WUDO is a new windows service designed to deliver Microsoft updates from PC’s that have already been updated.  WUDO functionally resembles BitTorrent and uses peer-to-peer network connections to spread the load for supplying Windows updates to PCs rather than relying on Microsoft’s centralized Windows Update servers.  Depending on your version of Windows, WUDO can provide updates only to other PCs on your local network, or PCs that are actually out on the internet (a whole separate problem).

WUDO was not really a secret, as Microsoft mentioned peer-to-peer update delivery back in 2015 as a new feature for Windows 10 Update for Business.  Users can disable WUDO entirely or limit its reach by changing settings in Windows 10.

After giving some thought to how this service works, the network traffic that gets generated between PC’s, and the potential opportunities that might provide to the hacking community, we have opted to disable this service from every Windows 10 workstation that we manage.  It doesn’t take a genius to wonder what would happen if one of the distribution PCs gets hacked, and someone figures out how to modify the cached updates.  Even if this service cannot be used to infect other machines, it seems like it could also be used as a “denial of service” attack where a corrupted update is distributed to a larger group of machines that causes those machines to blue screen or not boot.

We take a lot of pride in knowing about these kinds of “features” before they are released by a software manufacturer, so it is a little embarrassing that I was not aware of WUDO, and that as a company, we discovered it by accident.  I was happy that we discovered it during an audit, as that is the reason why auditing is important and actually works.

To borrow a line from a very famous play, “To WUDO or not to WUDO, that is the question”

Our answer – WUDON’T