HUGE Microsoft security FAIL helped Flame virus spread
June 5, 2012 - 6:07 A.M.
The Flame (aka Flamer) virus managed to pass itself off as a legitimate Windows update package. As a result, Microsoft (NASDAQ:MSFT) has revoked some of its own digital certificates. It also appears that the malware authors employed some highly sophisticated means to cover their tracks. In IT Blogwatch, bloggers see the plot thickening.
By Richi Jennings: Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Possibly the most anti-social Improv Everywhere yet... 
Gregg Keizer reports:
The weekend emergency update for all versions of Windows...was unusual, perhaps hinting at the seriousness of the flaw. ... Microsoft's Terminal Services licensing certificate authority (CA)...allowed attackers to generate digital certificates that could be used to "sign"...code in Flame.
The end result: Parts of Flame appeared...[to be] signed by Microsoft itself. ... The "out-of-band" update can be downloaded...via the Microsoft Update...Windows Update [and] Windows Server Update Services.   
Tim Greene adds:
Terminal Services Licensing Service provided certificates that [could] sign code as if it came from Microsoft. 
Chains of intermediate CAs can lead back to a trusted root. ... [D]evices attempt to follow those chains to establish authenticity. ... Weaknesses in this...system have were exploited repeatedly...[leading] to repeated calls for a new authentication system.   

How could this happen? Microsoft's Jonathan Ness 'splains:
[C]ertificates issued by our Terminal Services licensing [CA], which are intended to only be used for license server verification, could also be used to sign code. ... [W]hen an enterprise customer requests a...license, the certificate issued by Microsoft...allows code signing without accessing Microsoft’s internal PKI infrastructure.
Components of the Flame malware were signed with a certificate that the Microsoft Root Authority. ... Such a certificate could...allow attackers to sign code that validates as having been produced by Microsoft.   

Mikko H. Hypponen calls it "the nightmare scenario":
About 900 million Windows computers get their updates from Microsoft. ... The fix is available via — you guessed it — Microsoft Update.
Having a Microsoft code signing certificate is the Holy Grail of malware writers. ... I guess the good news is that this wasn't done by cyber criminals interested in financial benefit.   

But hang on, surely Microsoft could trace who requested the license? Dan Goodin says no:
Details of the "cryptographic collision attack"...are the latest testament to the skill and sophistication that went into...Flame.
One possible theory—advanced by Nate Lawson...[is] the collision attack gave them the ability to hide their identity. ... To carry out such a feat...first have Microsoft sign that was known to create a collision...then use that data in the malicious certificate.
[C]ollision attacks are extremely rare. ... [So] whoever was behind the malware had [huge] resources.   


Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

Visualizing The Power Of The World's Supercomputers

BMW traps alleged thief by remotely locking him in car