Further, the security advisory states, "Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows."
Oddly, the certificates being revoked are:
- Microsoft Enforced Licensing Intermediate PCA (2 certificates)
- Microsoft Enforced Licensing Registration Authority CA (SHA1)
These actually belong to Microsoft!
Further information on Microsoft's security blog assists with the story.
We recently became aware of a complex piece of targeted malware known as "Flame" and immediately began examining the issue. As many reports assert, Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware. That said, our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks. Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers.
We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft. We identified that an older cryptography algorithm could be exploited and then be used to sign code as if it originated from Microsoft. Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.
We are taking several steps to remove this risk:
• First, today we released a Security Advisory outlining steps our customers can take to block software signed by these unauthorized certificates.
• Second, we released an update that automatically takes this step for our customers.
• Third, the Terminal Server Licensing Service no longer issues certificates that allow code to be signed.
These actions will help ensure that any malware components that might have been produced by attackers using this method no longer have the ability to appear as if they were produced by Microsoft.
Read on for some analysis of the issue.
"The discovery of a bug that's been used to circumvent Microsofts secure code certificate hierarchy is a major breach of trust, and it's a big deal for every Microsoft user. It also underscores the delicate and problematic nature of the trust models behind every Internet transaction."
One might say, "Flame won't affect me, I don't need this patch;" but that most certainly isn't the point. Now that the method is known to the bad guys, all kinds of new malware will take advantage of it, if it hasn't already.
More importantly, as iTWire wrote previously, Flame has been in the wild for at least 2 years (possibly as long as 5 years), yet this vulnerability has not been identified in all that time.
As Andrew Storms observes, "A bug that can identify a piece of malware as legitimate is not something an average malware writer would have been able to sit on for long - it's worth far too much on the black market. The fact that this bug has been kept secret for at least 18 months, and quite possibly longer, is clear evidence that there is a nation state behind Flame."
iTWire strongly recommends this patch be applied as soon as possible (note, a reboot is probably required).