HUGE Microsoft security FAIL helped Flame virus spread
June 5, 2012 - 6:07 A.M.
The
Flame (aka Flamer) virus managed to pass itself off as a legitimate Windows
update package. As a result, Microsoft (NASDAQ:MSFT) has revoked some of its
own digital certificates. It also appears that the malware authors employed
some highly sophisticated means to cover their tracks. In IT Blogwatch, bloggers see the plot
thickening.
By Richi Jennings: Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Possibly the most anti-social Improv Everywhere yet...
Gregg Keizer reports:
By Richi Jennings: Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Possibly the most anti-social Improv Everywhere yet...
Gregg Keizer reports:
The weekend emergency
update for all versions of Windows...was unusual, perhaps hinting at the
seriousness of the flaw. ... Microsoft's Terminal Services licensing
certificate authority (CA)...allowed attackers to generate digital certificates
that could be used to "sign"...code in Flame.
...
The end result: Parts of Flame appeared...[to be] signed by Microsoft itself. ... The "out-of-band" update can be downloaded...via the Microsoft Update...Windows Update [and] Windows Server Update Services.
...

The end result: Parts of Flame appeared...[to be] signed by Microsoft itself. ... The "out-of-band" update can be downloaded...via the Microsoft Update...Windows Update [and] Windows Server Update Services.

Tim Greene adds:
Terminal Services Licensing
Service provided certificates that [could] sign code as if it came from
Microsoft.
...
Chains of intermediate CAs can lead back to a trusted root. ... [D]evices attempt to follow those chains to establish authenticity. ... Weaknesses in this...system have were exploited repeatedly...[leading] to repeated calls for a new authentication system.
...
Chains of intermediate CAs can lead back to a trusted root. ... [D]evices attempt to follow those chains to establish authenticity. ... Weaknesses in this...system have were exploited repeatedly...[leading] to repeated calls for a new authentication system.

How could this happen? Microsoft's Jonathan Ness 'splains:
[C]ertificates issued by
our Terminal Services licensing [CA], which are intended to only be used for
license server verification, could also be used to sign code. ... [W]hen an
enterprise customer requests a...license, the certificate issued by
Microsoft...allows code signing without accessing Microsoft’s internal PKI
infrastructure.
...
Components of the Flame malware were signed with a certificate that chained...to the Microsoft Root Authority. ... Such a certificate could...allow attackers to sign code that validates as having been produced by Microsoft.
...
Components of the Flame malware were signed with a certificate that chained...to the Microsoft Root Authority. ... Such a certificate could...allow attackers to sign code that validates as having been produced by Microsoft.

Mikko H. Hypponen calls it "the nightmare scenario":
About 900 million Windows
computers get their updates from Microsoft. ... The fix is available via — you
guessed it — Microsoft Update.
...
Having a Microsoft code signing certificate is the Holy Grail of malware writers. ... I guess the good news is that this wasn't done by cyber criminals interested in financial benefit.
...
Having a Microsoft code signing certificate is the Holy Grail of malware writers. ... I guess the good news is that this wasn't done by cyber criminals interested in financial benefit.

But hang on, surely Microsoft could trace who requested the license? Dan Goodin says no:
Details of the
"cryptographic collision attack"...are the latest testament to the
skill and sophistication that went into...Flame.
...
One possible theory—advanced by Nate Lawson...[is] the collision attack gave them the ability to hide their identity. ... To carry out such a feat...first have Microsoft sign some...data that was known to create a collision...then use that data in the malicious certificate.
...
[C]ollision attacks are extremely rare. ... [So] whoever was behind the malware had [huge] resources.
...
One possible theory—advanced by Nate Lawson...[is] the collision attack gave them the ability to hide their identity. ... To carry out such a feat...first have Microsoft sign some...data that was known to create a collision...then use that data in the malicious certificate.
...
[C]ollision attacks are extremely rare. ... [So] whoever was behind the malware had [huge] resources.
Comments
Post a Comment