Microsoft will update Windows Update to stymie Flame-like attacks
Expert knocks the company for vague description of how it plans to 'harden' crucial Windows Update service
Computerworld - Microsoft today announced it will issue an update to its Windows Update to prevent copy-cat hackers from duplicating Flame's feat of infecting fully-patched PCs by faking the service.
The company also described in more detail how Flame's authors were able to spoof Windows Update.
On Sunday, Microsoft acknowledged that Flame -- the super-espionage toolkit that has infected Windows PCs throughout the Middle East, but appears to have been aimed at Iran in particular -- used fraudulent code-signing certificates generated by abusing the company's Terminal Services licensing certificate authority (CA), which is normally used by enterprises to authorize remote desktop services and sessions.
Later, Microsoft also confirmed that those certificates were used to sign bogus updates that were force-fed uninfected PCs by a Flame-compromised computer on the same network.
Researchers at Kaspersky Lab and Symantec used their forensics analyses to more completely describe how Flame managed the feat.
Today, Microsoft said that Flame was able to trick Windows XP machines into accepting the phony Windows Updates once they generated digital certificates with Microsoft's own "signature."
But to dupe Windows Vista and Windows 7 systems, the hackers had to go a step further.
To do that, they leveraged several weaknesses in Microsoft's certificate infrastructure and signing to perform a cryptographic "collision attack," where two different values produce the same cryptographic "hash."
Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), explained the results.
"After [the collision] attack, the attacker had a certificate that could be used to sign code that chained up to the Microsoft Root Authority and worked on all versions of Windows [emphasis added]," Ness wrote today on the Security Research & Defense blog.
The combination of the flaws in the Terminal Services' CA and the collision attack made it possible for Flame to hoodwink Windows Vista and Windows 7 PCs as well as those running the 11-year-old XP.
Microsoft's Windows Update team also blogged Wednesday to explain how it plans to better secure Windows' default update mechanism, which is used by hundreds of millions of PCs worldwide, to prevent a repeat of the Flame tactic.
An update for Windows Update will be pushed to users later this week that will force the service to acknowledge only certificates issued from a new authority the company will create, and no longer accept other Microsoft-signed digital signatures, as it has since its inception.
"Second, we are strengthening the communication channel used by Windows Update in a similar way," the blog stated.
Companies that use Windows Server Update Services (WSUS), a Windows Server component and the de facto patching and update mechanism for most businesses, will be updated in a similar fashion.
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- South Korea cyberattacks hold lessons for U.S.
- U.S. military networks not prepared for cyberthreats, report warns
- Return of CISPA: Cybersecurity boon or privacy threat?
- New report says cyberspying group linked to China's army
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts