0

I've have looked at and considered Question about potential ISO infection and ISO verification and How do I check the hash of an ISO?

I've been concerned about security and I have been reading a lot about stuxnet and hearing a lot lately about the leaked NSA exploits and the more recent leaked exploits NYtimes

This made me consider the importance of a clean installation of Windows and how the Windows install itself could be used as an exploit.

Can an iso downloaded from Microsoft.com with seemingly correct hash truly be 100% safe to use on a Windows machine?

- Is there room for an exploit after a clean download?

  • After the iso is downloaded could there be an exploit to

  • Spoof the SHA1 using something similar to link

  • Trick common software like hash calculator that checks SHA1 into saying that it is correct even if it is not.
  • Compromise USB/DVD imaging software like unetbootin / win32 disk imager / rufus etc. during the "burning" of the iso.

The .iso would be downloaded from:

https://www.microsoft.com/en-us/software-download/windows7

Windows Resource Protection

Windows Resource Protection aims to protect core registry keys and values and prevent potentially damaging system configuration changes, besides operating system files. wikipedia

  • An answer mentioned that Windows Resource Protection is enough to prevent someone from modifying an iso of Windows. I do not think that is true because there are plenty of programs to modify Windows iso. I fail to see how that will prevent a virus if you can add custom programs to the iso that can run at boot.

    If you can prove that Windows Resource Protection is enough (which I don't think you can after looking at the links below) please explain why in your answer.

    Here is an an example of programs that can modify a windows iso. Just so people do know that it is possible and how easy it is. nLite and RT7lite

LateralTerminal
  • 173
  • 1
  • 1
  • 7

1 Answers1

3

Can an iso be compromised? Sure, it can. What would happen?

Microsoft, to their credit, has gotten a lot better about the security of their operating system. For at least 10 years now, if a critical file in the OS is replaced with an unrecognized version, the device upon boot would ask for you to insert the original CD. Windows then would replace the compromised file with the correct one. So if your ISO gets compromised, unless completely replaced with something that looks like Windows and acts like Windows, you'll run into their OS verification.

WRT stuxnet: I've seen 2 posts about that recently. That case was a particularly unique one. Although no one's taking credit for it (and many suspect that it was the US and/or Israel, no one knows), it was targeted against a very specific thing - the Iranian nuclear program. I wouldn't worry as much about that as I would about users doing things they shouldn't do. Your risks from users and generic malware are MUCH higher than from something like Stuxnet.

baldPrussian
  • 2,768
  • 2
  • 9
  • 14
  • I mention that because Stuxnet is old. I can only imagine what is in the most recent kit that was leaked. I worry that they might want to target people installing an OS from scratch. – LateralTerminal Nov 13 '17 at 22:37
  • 1
    You said, "if a critical file in the OS is replaced with an unrecognized version, the device upon boot would ask for you to insert the original CD." Is that really true? How do programs like nLite work http://www.nliteos.com/download.html then? And what about windows machines that come with modified versions of Windows already EX: including the brand logo and some drivers on the iso itself. Sorry if the answer is more obvious than I think – LateralTerminal Nov 13 '17 at 22:40
  • 2
    The feature is called Windows File Protection (now Windows Resource Protection) and is available since Windows 2000. More info is available here: [link] https://en.wikipedia.org/wiki/Windows_File_Protection . I'm not familiar with nLite, sorry. Drivers and branding aren't critical system files, and MS only allows branding to go so far. – baldPrussian Nov 14 '17 at 00:11
  • nLite for Windows XP and RT7Lite for Windows 7 lets you create a custom iso of windows 7 with custom screensavers, themes, wallpaper, logon screen, gadgets, documents, sample, music. media sounds etc. I've also downloaded custom versions of Windows 7 that had extra programs installed. – LateralTerminal Nov 14 '17 at 14:02
  • So I figure if you can add extra programs to a Windows iso, what is stopping people from adding a virus? I just don't see how Windows File Protection helps against that. It seems like there is an easy way around it. – LateralTerminal Nov 14 '17 at 14:32
  • You're going down a rabbit hole here. Let's get back to your initial question. Can an ISO from MS be 100% safe? NO, nothing ever is 100% safe and anyone asking for that kind of guarantee has unrealistic expectations. But, if you download it to an uncompromised system and it's directly from Microsoft, the odds are highly in your favor that it's safe. That's about as good a guarantee as you can realistically get. – baldPrussian Nov 14 '17 at 14:54