HUGE Microsoft security FAIL helped Flame virus spread

The Flame (aka Flamer) virus managed to pass itself off as a legitimate Windows update package. As a result, Microsoft (NASDAQ:MSFT) has revoked some of its own digital certificates. It also appears that the malware authors employed some highly sophisticated means to cover their tracks. In IT Blogwatch, bloggers see the plot thickening.  

By Richi Jennings: Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Possibly the most anti-social Improv Everywhere yet...

Gregg Keizer reports:

The weekend emergency update for all versions of Windows...was unusual, perhaps hinting at the seriousness of the flaw. ... Microsoft's Terminal Services licensing certificate authority (CA)...allowed attackers to generate digital certificates that could be used to "sign"...code in Flame.

...

The end result: Parts of Flame appeared...[to be] signed by Microsoft itself. ... The "out-of-band" update can be downloaded...via the Microsoft Update...Windows Update [and] Windows Server Update Services.   
M0RE

Tim Greene adds:

Terminal Services Licensing Service provided certificates that [could] sign code as if it came from Microsoft.

...

Chains of intermediate CAs can lead back to a trusted root. ... [D]evices attempt to follow those chains to establish authenticity. ... Weaknesses in this...system have were exploited repeatedly...[leading] to repeated calls for a new authentication system.   
M0RE

How could this happen? Microsoft's Jonathan Ness 'splains:

[C]ertificates issued by our Terminal Services licensing [CA], which are intended to only be used for license server verification, could also be used to sign code. ... [W]hen an enterprise customer requests a...license, the certificate issued by Microsoft...allows code signing without accessing Microsoft’s internal PKI infrastructure.

...

Components of the Flame malware were signed with a certificate that chained...to the Microsoft Root Authority. ... Such a certificate could...allow attackers to sign code that validates as having been produced by Microsoft.   
M0RE

Mikko H. Hypponen calls it "the nightmare scenario":

About 900 million Windows computers get their updates from Microsoft. ... The fix is available via — you guessed it — Microsoft Update.

...

Having a Microsoft code signing certificate is the Holy Grail of malware writers. ... I guess the good news is that this wasn't done by cyber criminals interested in financial benefit.   
M0RE

But hang on, surely Microsoft could trace who requested the license? Dan Goodin says no:

Details of the "cryptographic collision attack"...are the latest testament to the skill and sophistication that went into...Flame.

...

One possible theory—advanced by Nate Lawson...[is] the collision attack gave them the ability to hide their identity. ... To carry out such a feat...first have Microsoft sign some...data that was known to create a collision...then use that data in the malicious certificate.

...

[C]ollision attacks are extremely rare. ... [So] whoever was behind the malware had [huge] resources.   
M0RE

   

And Finally...

Possibly the most anti-social Improv Everywhere yet    

 
Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's the creator and main author of Computerworld's IT Blogwatch, for which he has won ASBPE and Neal awards. He also writes The Long View for IDG Enterprise. A cross-functional IT geek since 1985, you can read Richi's full profile and disclosure of his industry affiliations.

Related:

Copyright © 2012 IDG Communications, Inc.

  
Shop Tech Products at Amazon