Security Market Segment LS
Tuesday, 05 June 2012 00:01

Urgent Microsoft patch to address Flame's entry-point


Tonight's out-of-cycle update will permit all current versions of Windows to close one of the holes Flame used to infect computers.

According to Microsoft's KB article, the patch addresses "Unauthorized digital certificates could allow spoofing."

Further, the security advisory states, "Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows."

Oddly, the certificates being revoked are:

  • Microsoft Enforced Licensing Intermediate PCA (2 certificates)
  • Microsoft Enforced Licensing Registration Authority CA (SHA1)

These actually belong to Microsoft!

Further information on Microsoft's security blog assists with the story.

We recently became aware of a complex piece of targeted malware known as "Flame" and immediately began examining the issue. As many reports assert, Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware. That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks. Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers.

We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

We are taking several steps to remove this risk:

• First, today we released a Security Advisory outlining steps our customers can take to block software signed by these unauthorized certificates.

• Second, we released an update that automatically takes this step for our customers.

• Third, the Terminal Server Licensing Service no longer issues certificates that allow code to be signed.

These actions will help ensure that any malware components that might have been produced by attackers using this method no longer have the ability to appear as if they were produced by Microsoft.

Read on for some analysis of the issue.

nCircle's director of security operations, Andrew Storms adds, "Microsoft took a rare step and issued a security advisory on a weekend, underscoring the importance and severity of this problem.

"The discovery of a bug that's been used to circumvent Microsofts secure code certificate hierarchy is a major breach of trust, and it's a big deal for every Microsoft user. It also underscores the delicate and problematic nature of the trust models behind every Internet transaction."

One might say, "Flame won't affect me, I don't need this patch;" but that most certainly isn't the point. Now that the method is known to the bad guys, all kinds of new malware will take advantage of it, if it hasn't already.

More importantly, as iTWire wrote previously, Flame has been in the wild for at least 2 years (possibly as long as 5 years), yet this vulnerability has not been identified in all that time.

As Andrew Storms observes, "A bug that can identify a piece of malware as legitimate is not something an average malware writer would have been able to sit on for long - it's worth far too much on the black market. The fact that this bug has been kept secret for at least 18 months, and quite possibly longer, is clear evidence that there is a nation state behind Flame."

iTWire strongly recommends this patch be applied as soon as possible (note, a reboot is probably required).


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments