Microsoft will update Windows Update to stymie Flame-like attacks
Expert knocks the company for vague description of how it plans to 'harden' crucial Windows Update service
Computerworld - Microsoft today announced it will issue an update to its Windows Update to prevent copy-cat hackers from duplicating Flame's feat of infecting fully-patched PCs by faking the service.
The company also described in more detail how Flame's authors were able to spoof Windows Update.
On Sunday, Microsoft acknowledged that Flame -- the super-espionage toolkit that has infected Windows PCs throughout the Middle East, but appears to have been aimed at Iran in particular -- used fraudulent code-signing certificates generated by abusing the company's Terminal Services licensing certificate authority (CA), which is normally used by enterprises to authorize remote desktop services and sessions.
Later, Microsoft also confirmed that those certificates were used to sign bogus updates that were force-fed uninfected PCs by a Flame-compromised computer on the same network.
Researchers at Kaspersky Lab and Symantec used their forensics analyses to more completely describe how Flame managed the feat.
Today, Microsoft said that Flame was able to trick Windows XP machines into accepting the phony Windows Updates once they generated digital certificates with Microsoft's own "signature."
But to dupe Windows Vista and Windows 7 systems, the hackers had to go a step further.
To do that, they leveraged several weaknesses in Microsoft's certificate infrastructure and signing to perform a cryptographic "collision attack," where two different values produce the same cryptographic "hash."
Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), explained the results.
"After [the collision] attack, the attacker had a certificate that could be used to sign code that chained up to the Microsoft Root Authority and worked on all versions of Windows [emphasis added]," Ness wrote today on the Security Research & Defense blog.
The combination of the flaws in the Terminal Services' CA and the collision attack made it possible for Flame to hoodwink Windows Vista and Windows 7 PCs as well as those running the 11-year-old XP.
Microsoft's Windows Update team also blogged Wednesday to explain how it plans to better secure Windows' default update mechanism, which is used by hundreds of millions of PCs worldwide, to prevent a repeat of the Flame tactic.
An update for Windows Update will be pushed to users later this week that will force the service to acknowledge only certificates issued from a new authority the company will create, and no longer accept other Microsoft-signed digital signatures, as it has since its inception.
"Second, we are strengthening the communication channel used by Windows Update in a similar way," the blog stated.
Companies that use Windows Server Update Services (WSUS), a Windows Server component and the de facto patching and update mechanism for most businesses, will be updated in a similar fashion.
- DOJ's charges against China reframe security, surveillance debate
- Hacker indictments against China's military unlikely to change anything
- U.S. to formally accuse Chinese military of hacking
- Cyberattacks could paralyze U.S., former defense chief warns
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts