• United States



Emergency Windows patch stops Flame malware from spoofing Microsoft security certificate

Jun 04, 20124 mins
Data and Information SecurityMalwareMicrosoft

Microsoft issued a security advisory and emergency patch on Sunday after discovering Flame malware components were signed by a spoofed 'trusted' Microsoft digital certificate.

Microsoft released an emergency Windows update last night after discovering that components of the cyber-espionage Flame malware could trick customers by spoofing one of Microsoft’s trusted digital signatures. The security advisory states, “Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.”

Most customers are not at risk of such a highly targeted attack, but issuing the security advisory was Microsoft’s first step to protect customers. The second step was to release a patch that blocks the spoofed Microsoft certificate. Lastly, Microsoft’s Terminal Server Licensing Service will no longer issue digital certificates that allow code to be signed; this should take away attackers’ ability to use Microsoft to spread Flame.

RELATED: Microsoft recalls certificates exploited by Flame malware

MORE: Flame Malware Blurs the Line Between Fiction and Reality

  • Who Can You Trust in the Age of Flame, Duqu, and Stuxnet?

Microsoft Security Response Center Senior Director Mike Reavey wrote on the MSRC blog:

We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

The emergency Windows update is the latest revelation when it comes to the sophisticated Flame malware which has held the cybersecurity world mesmorized since its discovery. On the heels of finding Flame, a report came out which confirmed that America and Israel created Stuxnet. After 18 months of interviewing intelligence officials, David Sanger of the New York Times revealed that the George W. Bush administration authorized the cyber weapon program codenamed Olympic Games; President Obama continued it and increased cyberattacks on Iran.

Officials claim the Flame cyber weapon was not part of Olympic Games. ABC News attempted to find out if the USA created Flame, but the NSA, CIA, DOD and State Department “either declined to comment or referred ABC News to the Department of Homeland Security. The DHS said in a statement it was analyzing Flame to determine its impact on the U.S. but refused to comment on whether the U.S. had a hand in its creation.”

As research, revelation and speculation continue, Microsoft concluded the following connection to the 20MB Flame malware:

Components of the Flame malware were signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. This code-signing certificate came by way of the Terminal Server Licensing Service that we operate to issue certificates to customers for ancillary PKI-based functions in their enterprise. Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.

As is implied by Microsoft releasing the emergency Windows update on Sunday, please update immediately.

Like this? Here’s more posts:
  • Study Finds 1 in 2 Americans are ‘Clueless’ about Webcam Hacking
  • Inception-like Remee lets you take control of your dreams
  • Fight the Patriot Act and win. Next? Promise privacy, a surveillance-free ISP
  • Sanitize Microsoft Office: How to remove personal metadata
  • Trolling Terrorists with Propaganda: The US hack of al-Qaida that wasn’t a hack
  • Male or female, who’s the better social engineer? Battle of the SExes!
  • NASA, Air Force, Harvard, Military, ESA Hacked by Gray Hats ‘The Unknowns’
  • SOPA supporters meet in secret to strangle Internet freedom & online speech
  • Microsoft Researchers say cybercrime loss estimates are a bunch of bunk
  • This is why people pirate Windows
  • Hacktivists UGNazi attack 4chan, CloudFlare and Wounded Warrior Project
  • FBI Creates Surveillance Unit to Build Backdoors into the Web

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.