Chapter 1 – Introduction

The intricacies of WUDO (Windows Update Delivery Optimization).


This set of blog posts was created following extensive research that I conducted on Windows Updates Delivery Optimization (WUDO – or more simply: DO). In these posts, I will lead you through the entire research process, and share some of the guidelines we follow during a research project.

Back when I was a junior researcher, I aspired to constantly improve, and learn new techniques – but I barely found any guides to use that could contribute to my own investigations. Usually, research papers display a final impressive result, without showing how that result was achieved. On the one hand, this is understandable, as research is more of an art than a science, and some processes and practices can be hard to quantify; but on the other hand, we would like to do better: we would like to create research-based articles that can really serve other researchers.

I wrote these articles to portray the nuances involved in this kind of work, and to tell the story of my research. These articles explain my thought processes at the time, show the different options I explored, and don’t try to hide the attempts and directions that were ultimately fruitless.

It is my hope that these articles will give you a glimpse into our approach to such projects and inspire you in your own research.

Do overview

According to Microsoft, “Windows updates, upgrades, and applications can contain packages with large files … Delivery Optimization is a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers”. 

In other words, Delivery Optimization is a method that Windows machines use to download updates from other Windows machines in the same network or on the internet, instead of directly from Microsoft servers.

We were intrigued by this method, and wanted to understand how Microsoft designed such a system – especially given that it seems to be prone to security issues, and reveals a new potential attack surface. We decided to research Delivery Optimization for two primary reasons: to gain a greater understanding of the mechanism, and to search for security implications and vulnerabilities.


Before we get started, I have a confession to make … even as a vulnerability researcher, I too am occasionally tempted to press the snooze button on Windows updates (until the IT department forces a restart of my machine). In a way, it doesn’t matter how much awareness you have of the destructive potential of vulnerabilities inherent in unpatched operating systems – who has the time or energy to close all of their open programs? After running out of delay options and finally succumbing to a Windows update on my home computer, I discovered a section named ‘Delivery Optimization’ that caught my attention:

Windows 10 Settings
Figure 1 – Windows 10 Settings

Surprisingly, the details of this section state that updates and installations can be downloaded from other machines in my local network:

Delivery Optimization settings
Figure 2 – Delivery Optimization settings

Delving into the settings, you can even see statistics about DO bandwidth:

Delivery Optimization advanced options
Figure 3 – Delivery Optimization advanced options

Why do?

Research projects tend to be medium- to long-term projects, ranging from several weeks to multiple months. For this reason, it is crucial to choose worthwhile topics before you become too committed to your chosen research topic.

Delivery optimization raises a number of fascinating questions, and has great potential for vulnerabilities and impact. Some of the questions we formulated were:

  • How does this feature work?
  • Can I remotely access the update status, and thus detect CVE patching?
  • Can I send malicious updates to unsuspecting peers?
  • How is the network protocol implemented? Does it avoid the memory corruption and logical vulnerabilities from which such protocols tend to suffer?

We realized that this mechanism could be an extremely powerful attack vector. Taking into consideration the knowledge we gained about it so far, we decided to pour our resources into dissecting DO.

Microsoft documentation

Microsoft has excellent high-level documentation about DO.

Life is too short for man pages, but occasionally much too short without them
Figure 4 – Life is too short for man pages, but occasionally much too short without them.[1]

But we won’t pointlessly redocument all the available resources on the subject; if you would like to learn more, I recommend these articles:

Spoiler alert

The following diagram shows a communication record that we sniffed between two peers conducting a file exchange. You probably have many questions about the flow, and protocol specifications; don’t worry, in the following chapters we’ll give a detailed explanation of how we unveiled the DO protocol, provide full specifications, and explore its possibilities.

DO Protocol
Figure 5 – DO Protocol

What next?

I hope that this brief introduction to Delivery Optimization has piqued your interest. Personally, at this stage, I was thrilled to check out the mechanism.

In the following chapters, we’ll delve into the research, focusing on another subject in each chapter:

These will be released in the near future, along with technical guides of some of the technologies and techniques used in the research. I encourage you to jump to the following black box chapter, which is released together with this introduction chapter.

subsctibe decor
Want to get in touch?