Sunday05 February 2023

Flame Was Using Subverted Microsoft Certificates To Infect Systems; Microsoft Issues a Patch to Correct This.

Reading time is around minutes.

broken-lockWe told you about the new malware threat in Iran (and some other Middle Eastern countries). This is a new and very sophisticated bit of spyware that appears designed to gather intelligence about the state of Iran’s nuclear program. Kaspersky discovered the worm after being asked to check some systems that appeared to be acting strange. This investigation led to the discovery on Flame and the identification of some 20 plug-ins for the malware that can do everything from capture screens, to turning on a system’s microphone to record anything around the system. It is also able to record VoIP communication through applications like Skype.

Now it has come to light that the developers used Microsoft Certificates to sign their applications and make them appear legitimate. This could have allowed the installers and plug-ins to slip by malware detection routines and also some of the built in features of Windows that require code signing.

According to Microsoft the people responsible for Flame were able to break an older cryptographic algorithm which allowed them to sign the code as if it were from Microsoft. According to Microsoft’s Security Advisory 2718704 it appears that the developers of Flame might have used the Terminal Server Licensing Service to gain access to the older Algorithm.

Microsoft has already issued a patch that will revoke the root issuing authority that Terminal Server Licensing Services had. This will prevent someone from using that service or cryptographic algorithm to sign code. That is, if people run the update. For those of you interested the update in question is KB2718704 and shows up as simply Update for Windows 7 for x64-based Systems (KB2718704).

Update for Windows 7 for x64-based Systems (KB2718704)

Download size: 91 KB

You may need to restart your computer for this update to take effect.

Update type: Important

Install this update to resolve an issue which requires an update to the certificate revocation list on Windows systems and to keep your systems certificate list up to date. After you install this update, you may have to restart your system.

More information:

Help and Support:

We saw this pop up on all of our systems this morning and have already applied the patch to them. We highly recommend that you add this patch in to ensure that someone else does not try to use the same attack vector that the authors of Flame did. It was very irresponsible for Microsoft to allow this extended functionality on an internal licensing service (allowing a root authority to sign the certificates).

Most of the time you have to go through quite a bit to be a trusted root of intermediary certificate authority; this is to hopefully ensure that you do not abuse it and that you safeguard this to prevent unauthorized certificates from being pushed out. We expect that this will be something of a wakeup call for Microsoft and many corporations to make sure they have not been left open.

Right now the biggest concern is the potential to subvert Microsoft Update. If someone has been able to spoof certificates that appear to be signed by Microsoft there is not much to stop them from redirecting traffic to a compromised server that appears to be Windows Update. If this happened it would allow someone to push out malware at will and also to download information collected from the target system (all with the same bit of malware). Although this is not a likely scenario it is something that Microsoft will want to check and take steps to prevent sooner rather than later.

Forging or compromising certifiactes and singing authorities is becomming more and more common these days. It has made more than a few analysts wonder if the system is not in serious need of an overhaul to ensure better security.

Discuss this in our Forum

Last modified on Monday, 04 June 2012 15:21

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.